BlueNoroff Unleashes Fileless PowerShell & GPT-4o Deepfakes: 66‑Day Cryptographic Heist Exposed + Video

Listen to this Post

Featured Image

Introduction:

The North Korean APT group BlueNoroff (a subdivision of Lazarus) has demonstrated a terrifying leap in social engineering by marrying AI‑generated video lures with fileless PowerShell malware. In a campaign revealed by Arctic Wolf, attackers compromised a North American Web3 company for 66 days entirely in memory, using fake Zoom calls populated with deepfakes created with GPT‑4o and Adobe Premiere. This article dissects the technical execution chain from typosquatted Calendly invites to memory‑resident C2, provides step‑by‑step detection and hardening guidance for Windows/Linux environments, and offers actionable threat hunting queries.

Learning Objectives:

  • Understand the multi‑stage attack flow: social engineering → clipboard hijacking (ClickFix) → fileless PowerShell → AI‑enhanced persistence.
  • Learn how to detect and block in‑memory PowerShell implants, process injection into browsers, and live webcam exfiltration.
  • Acquire hands‑on techniques using Sysmon, PowerShell logging, EDR rules, and YARA for memory scanning.

You Should Know:

  1. Weaponized ClickFix: How “SDK Deprecated” Becomes a Fileless Breach

The attack begins with a realistic fake Zoom meeting page. After the victim joins, a pop‑up states: “SDK is deprecated — click Update Now”. This invokes a Clipboard Hijacking technique (ClickFix). The user is instructed to copy a seemingly benign command (e.g., ping 8.8.8.8 -n 5), but a malicious JavaScript intercepts the clipboard event and replaces it with a base64‑encoded PowerShell loader.

Step‑by‑step guide – What it does and how to detect it:
1. Execution – The victim pastes the replaced command into Run (Win+R) or PowerShell.
2. Payload – The decoded PowerShell downloads and executes a PowerShell downloader directly into memory, never touching disk.
3. Consequences – C2 beaconing, AES‑encrypted browser injection (Chrome/Edge), credential harvesting from crypto wallets, and live webcam exfiltration via Telegram Bot API.

Detection methods (Windows & Linux):

  • Monitor PowerShell command lines: Use Sysmon Event ID 1 and look for `-EncodedCommand` with large base64 strings.
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'powershell. -e '}
    
  • Check for clipboard modifications: Enable clipboard auditing (Windows 11/Server 2022) via Event ID 1317 (Clipboard log).
  • On Linux, if a cross‑platform variant appears, monitor `bash` history for suspicious `curl … | bash` patterns.
    grep -E "curl.|.sh|wget.|.sh" /home//.bash_history
    
  1. Fileless PowerShell Implant – Memory‑Only C2 and AES Browser Injection

Once executed, the fileless PowerShell chain establishes a persistent C2 channel entirely in RAM. The implant uses AES‑encrypted shellcode injected into legitimate browser processes to steal session tokens, cryptocurrency wallet extensions, and corporate credentials.

Step‑by‑step guide – How to locate in‑memory implants:

  1. Check PowerShell module logging – Event ID 4104 will log the script block, even if no file is written.
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -First 20 | Format-List
    
  2. Scan for reflective DLL injection – Use Volatility/DumpIt to capture memory dumps.
    Linux (memfd_create detection)
    ls -l /proc//fd/ | grep '/memfd:' 
    Windows (process hollowing detection)
    Get-Process -Name chrome, edge | Select-Object -ExpandProperty Modules | Where-Object {$_.ModuleName -notlike ".dll"}
    
  3. Deploy YARA rules for memory scanning – Scan running processes for known BlueNoroff payload patterns.
    yara64.exe -s bluenoroff_rule.yar --pid 1234 
    

  4. AI‑Generated Deepfakes: Produced from Stolen Webcam Feeds & GPT‑4o

The most audacious innovation: BlueNoroff steals the live webcam feed of each victim during the fake call, then repurposes it to generate future lures. Arctic Wolf discovered over 950 media files on attacker servers, including footage re‑processed in Adobe Premiere Pro and AI‑generated headshots using ChatGPT’s GPT‑4o model.

Step‑by‑step guide – Defending against video‑based social engineering:

  • Restrict camera access by default: Group Policy for Windows → disable camera for all non‑verified meeting domains.
  • Detect unauthorized camera stream capture – Monitor for `win32kbase.sys` or `ks.sys` calls from non‑browser processes.
    Get-Process | Where-Object {$_.Modules -match 'win32kbase.sys'} | Select-Object ProcessName, Id
    
  • Train users to verify meeting origins – Always re‑check the full URL; typosquatted domains (e.g., `uu03webzoom.us` instead of zoom.us) are a giveaway.
  • Use deepfake detection tools – Browser extensions like Resemble AI’s free deepfake detector or Incode Deepsight can flag synthetic video participants in real time.
  1. Infrastructure Analysis & IoC Blocking – 80+ Typosquatted Domains

BlueNoroff registered dozens of fake Zoom/Teams domains between late 2025 and March 2026 – e.g., uu03webzoom.us, teams-live.org, bitlayer.teams-meet.us. These domains were hosted on a handful of IPs:

`104.145.210.107`, `83.136.209.22`, `83.136.208.246`, `188.227.197.32`

Step‑by‑step guide – Blocking and hunting for infrastructure:

  • Add the above IPs to your perimeter firewall and endpoint EDR blocklists.
  • Query DNS logs for any of these domains:
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DNS-Client/Operational'} | Where-Object {$_.Message -match 'uu03webzoom|teams-live|bitlayer.teams-meet'}
    
  • Windows host file enforcement – Push a GPO that redirects known bad domains to `127.0.0.1` or a sinkhole.
  • Linux – block via /etc/hosts or iptables:
    for ip in 104.145.210.107 83.136.209.22 83.136.208.246 188.227.197.32; do iptables -A INPUT -s $ip -j DROP; iptables -A OUTPUT -d $ip -j DROP; done
    
  1. Rapid Compromise – Under 5 Minutes from Click to Persistence

Arctic Wolf’s telemetry shows full system compromise within five minutes of the victim clicking the malicious link. The timeline:
1. Victim lands on fake Zoom page (0–15 sec).
2. Clipboard hijack + paste of fileless PowerShell (30 sec).

3. C2 beaconing and credential theft (2 min).

  1. Browser process injection & wallet scanning (4 min).

Step‑by‑step guide – Rapid response & containment:

  • Block PowerShell execution in constrained language mode for non‑admin users – Group Policy: Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Name "ScriptBlockLogging" -Value 1.
  • Enable AMSI (Antimalware Scan Interface) in depth: Ensure `amsi.dll` is loaded in all PowerShell processes.
    Get-Process | Where-Object {$_.Modules -match 'amsi.dll'} | Select-Object ProcessName
    
  • Deploy “Ban on Copy-Pasting from Web to Run Dialog” via Windows Defender Application Control (WDAC) – block `powershell.exe -Command` and `cmd.exe /c` from untrusted sources.
  • Linux – disable `curl | bash` patterns through AppArmor or SELinux policies that restrict shell execution of downloaded content.
  1. Persistence Without Files – Entirely Memory‑Resident for 66 Days

The BlueNoroff implant achieved persistence by living off the land – it never wrote any file to disk, making it invisible to traditional AV scans. Persistence was achieved by embedding the payload into a scheduled task that triggered a one‑liner PowerShell command (again, never touching disk).

Step‑by‑step guide – Uncover memory‑resident persistence:

  • Audit scheduled tasks for any that invoke PowerShell without a script path.
    Get-ScheduledTask | Where-Object {$<em>.Actions -like 'powershell' -and $</em>.Actions -notlike '.ps1'} | Select-Object TaskName, Actions
    
  • Monitor the registry run keys for suspicious silent execution.
    Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    
  • Use memory acquisition tools (Velociraptor, WinPmem) to dump and scan for RSA private keys or wallet data held only in RAM.
  1. Hardening Against AI Voice/Video Deepfakes in Enterprise Collaboration Tools

Since BlueNoroff uses stolen video + GPT‑4o to generate fake participants, organizations must treat video meeting links as a new attack vector.

Step‑by‑step guide – Technical and policy controls:

  • Always verify meeting links via a secondary channel (Slack, Teams, phone). Never rely solely on a calendar invite.
  • Configure browser group policy to block camera/microphone access unless explicitly whitelisted for .zoom.us, .teams.microsoft.com.
  • Deploy an AI‑powered deepfake detection plugin for Chrome (e.g., Resemble AI’s extension) on all endpoints of high‑value employees.
  • Enable verbose webcam access logging in Windows (Event ID 5632 for camera). Hunt for camera access by unknown processes.

What Undercode Say:

  • BlueNoroff proves that fileless malware + AI social engineering can defeat traditional defenses and persist for months.
  • Live webcam exfiltration transforms each victim into a weapon for the next campaign – a self‑reinforcing deep‑fake pipeline.
  • The only reliable detection is memory forensics, PowerShell script block logging, and process injection monitoring on every endpoint.
  • Organizations must block clipboard hijacking by disabling paste into Run dialog for non‑administrators, and enforce strict AMSI policies.
  • Incident responders should immediately add the 80+ typosquatted domains and 4‑5 IPs to blocklists.
  • Future attacks will inevitably use generative AI to automate the entire social engineering chain – training must evolve to treat any unsolicited meeting invitation as hostile.

Prediction:

Within 18 months, AI‑generated deepfakes will become the primary initial access vector for financially motivated APTs. Traditional email phishing will decline, replaced by real‑time voice/video scams using GPT‑5‑class models. Enterprises will need mandatory multi‑factor verification of any remote meeting, and EDR products will incorporate real‑time deepfake detection as a core feature, or risk being bypassed entirely.

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky