Zooming through BlueNoroff Indicators with Validin
2025-06-20 • Validin •
https://www.validin.com/blog/zooming_through_bluenoroff_pivots/
Validin pivots from Huntress-reported BlueNoroff infrastructure tied to a targeted Web3 intrusion that used Telegram and a fake Zoom extension to compromise a cryptocurrency organization. The investigation starts with support[.]us05web-zoom[.]biz, which often resolved to 8.8.8.8 but briefly exposed patterns that led to related Zoom-, meeting-, and conference-themed domains across multiple TLDs. DNS history, host connections, RDP certificates, and HTTP certificate pivots linked the cluster to IPs including 23.254.247[.]53, 23.254.247[.]32, and 23.254.244[.]248, some previously associated with DPRK activity. The research expands the suspected BlueNoroff campaign from one lure domain to nearly 200 likely related domains and hundreds of subdomains, giving defenders infrastructure patterns for proactive tracking of fake meeting-extension operations.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | web01zoom.com | 2025-06-20 | 2026-04-27 |
| IPv4 | 104.168.143.111 | 2025-06-20 | 2026-04-14 |
| IPv4 | 23.254.204.184 | 2025-06-20 | 2026-01-29 |
| DOMAIN | us05web-zoom.biz | 2025-06-18 | 2026-01-01 |
| DOMAIN | support.us05web-zoom.biz | 2025-06-18 | 2026-01-01 |
| HASH | 38eaff53184ebca9046c2f10161c664… | 2025-06-20 | 2025-06-20 |
| HASH | a945fc4a05f84c84ecb4ec7c24458e64 | 2025-06-20 | 2025-06-20 |
| HASH | 23c501daff7991f82a93d94a4f14bd6… | 2025-06-20 | 2025-06-20 |
| HASH | 083ca76e08cca8d8ebd337b836c9c8fb | 2025-06-20 | 2025-06-20 |
| DOMAIN | us06web-zoom.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | bizwebmeet.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | zoom-client.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | video-conference.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | nexologin.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | online-conference.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | us05-zoom.uk | 2025-06-20 | 2025-06-20 |
| DOMAIN | us03web-zoom.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | team-meets.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | room-meeting.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | zoom-support.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | bizmeet.org | 2025-06-20 | 2025-06-20 |
| DOMAIN | dunamuventures.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | test.ag-zoom.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | daiwa-v.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | vipocapital.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | videotalks.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | zm-meeting.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | us05web-zoom.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | laserdigital.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | us05web-zoom.uk | 2025-06-20 | 2025-06-20 |
| DOMAIN | support-gmeet.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | team-meet.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | picwe-team.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | meet-client.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | em-oujuit78ytserve.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | secure-meeting.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | doc-bridge.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | us05web-zoom.info | 2025-06-20 | 2025-06-20 |
| DOMAIN | aleslosev.workers.dev | 2025-06-20 | 2025-06-20 |
| DOMAIN | saisoncapital.net | 2025-06-20 | 2025-06-20 |
| DOMAIN | support.us02web-zoom.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | rxamia.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | api.us02web-zoom.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | em-oujuit78ytserve.net | 2025-06-20 | 2025-06-20 |
| DOMAIN | zoom-sdk.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | twosigmacap.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | us02web-zoom.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | doc-send.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | hosting.us02web-zoom.com | 2025-06-20 | 2025-06-20 |
| IPv4 | 38.146.28.252 | 2025-06-20 | 2025-06-20 |
| IPv4 | 45.42.40.200 | 2025-06-20 | 2025-06-20 |
| IPv4 | 5.230.78.47 | 2025-06-20 | 2025-06-20 |
| IPv4 | 23.254.244.248 | 2025-06-20 | 2025-06-20 |
| IPv4 | 23.254.164.232 | 2025-06-20 | 2025-06-20 |
| IPv4 | 45.42.40.208 | 2025-06-20 | 2025-06-20 |
| IPv4 | 216.107.137.53 | 2025-06-20 | 2025-06-20 |
| IPv4 | 5.230.54.23 | 2025-06-20 | 2025-06-20 |
| IPv4 | 5.230.251.49 | 2025-06-20 | 2025-06-20 |
| IPv4 | 147.79.103.251 | 2025-06-20 | 2025-06-20 |
| IPv4 | 23.254.247.32 | 2025-06-20 | 2025-06-20 |
| DOMAIN | boolnetwork.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | globiscapital.co | 2025-06-20 | 2025-06-20 |
| DOMAIN | jp-zoom.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | fronterixbusiness.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | synternetlab.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | calystiabusiness.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | web3fund.io | 2025-06-20 | 2025-06-20 |
| DOMAIN | zmwebsdk.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | twosigma-vc.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | hartmanmcapital.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | capitalviabtc.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | globiscapitals.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | superstatefund.co | 2025-06-20 | 2025-06-20 |
| DOMAIN | api-zoom.com | 2025-06-20 | 2025-06-20 |
| DOMAIN | openfort-team.xyz | 2025-06-20 | 2025-06-20 |
| DOMAIN | bizmeeting.org | 2025-06-20 | 2025-06-20 |
| DOMAIN | xn--rxamia.com | 2025-06-20 | 2025-06-20 |
| IPv4 | 23.254.247.53 | 2025-04-23 | 2025-06-20 |
| IPv4 | 5.230.44.79 | 2025-03-24 | 2025-06-20 |
| IPv4 | 38.110.228.112 | 2025-03-24 | 2025-06-20 |
| IPv4 | 5.230.252.157 | 2025-03-24 | 2025-06-20 |
| DOMAIN | businessmeet.xyz | 2025-03-12 | 2025-06-20 |
Related Actors
Related Reports
Shares tags: Bluenoroff, macOS • Shares 1 IOC • Published within a week
Shares tag: Bluenoroff • Shares 17 IOCs • Published within a week
Shares tags: Bluenoroff, macOS
2026-05-28 •
60% Match
#Cryptocurrency
#Phishing
#Bluenoroff
#macOS
#SapphireSleet
#UNC1069
#T1005
#T1041
#T1560
#T1059.004
#T1059.002
#T1105
#T1543.004
Shares tags: Bluenoroff, macOS
2025-07-02 •
60% Match
#Bluenoroff
Shares tag: Bluenoroff • Published within a month
Shares tag: Bluenoroff • Published within a week