MalwareUsed by 1 actor

BlueNoroff

BlueNoroff is a DPRK-linked threat cluster referenced here in connection with targeted intrusions, including a Huntress-described attack against a victim organization. In the cited activity, the operators used social engineering during a video-call workflow, including deepfakes and malicious Zoom extensions, after a last-minute switch from Google Meet to Zoom. The victim was instructed to download an "extension" to make Zoom work, and reporting cited in the content states BlueNoroff used deepfakes, backdoor malware, and information stealers in the attack. The content also associates BlueNoroff with campaigns themed around cryptocurrency, including an item titled "Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs," and notes DPRK-aligned targeting of high-value sectors such as Web3 and cryptocurrency. High-confidence behaviors mentioned in the content include social-engineering-led compromise, abuse of business processes to appear legitimate, use of malicious Zoom extensions, deployment of backdoor malware and information stealers, and deepfake-enabled impersonation during remote meetings. The content does not provide specific file hashes, domains, or other concrete IOCs.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

DPRK

Huntress wrote in a recent blog post describing the BlueNoroff targeted attack where threat actors tied to the Democratic People's Republic of Korea (DPRK) compromised a victim organization with malicious Zoom extensions and deepfakes.

via dark readingdarkreading.com

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app5 years ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

securityaffairsNews

Nov 2, 2025

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 69

BlueNoroff is an APT group known for targeting cryptocurrency organizations through sophisticated malware and social engineering campaigns.

dark readingNews

Aug 4, 2025

MacOS Under Attack: How Organizations Can Counter Rising Threats

A DPRK-attributed macOS-focused intrusion set/campaign described as using social engineering (including deepfakes) and malicious Zoom extensions to compromise victims, then deploying backdoor malware and information stealers; also noted as evolving tooling (including novel loaders) to blend into macOS environments and target high-value sectors like Web3/crypto.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.