WhoisXML API examined a BlueNoroff attack in which victims received a Calendly-themed meeting invite over Telegram that redirected them from an expected Google Meet flow to an actor-controlled fake Zoom domain. The infection chain triggered a malicious AppleScript download and ultimately delivered keylogger malware. The researchers identified four domains and three URLs as IOCs, then expanded the investigation through DNS and ownership relationships to derive seven related domains and more than 1,850 potentially connected artifacts. The activity matters because it shows BlueNoroff blending social engineering, fake collaboration infrastructure, and macOS scripting to compromise targets through routine meeting workflows.