Huntress was alerted to the recent BlueNorroff attack when an end-user reported potentially downloading a malicious Zoom extension on 11 June 2025. As it turned out, the malware came disguised as a Calendly meeting invite from a supposed contact sent via Telegram. Ironically, instead of a Google Meet page as the link hinted, the user ended up on a threat actor-controlled fake Zoom domain when clicked. That triggered the download of a malicious AppleScript whose final payload was the malware.

The researchers identified four domains and three URLs as indicators of compromise (IoCs) from which we derived seven domains for further analysis. Our bid to uncover more potentially connected artifacts notably led to the discovery of:

• Three domains tagged likely to turn malicious by First Watch Malicious Domains Data Feed 72—281 days prior to the attack’s discovery
• 16 email-connected domains
• Six IP addresses, all turned out to be malicious
• 13 IP-connected domains, one turned out to be malicious
• 21,617 string-connected domains, 95 turned out to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the IoCs

We began our investigation by querying the seven domains identified as IoCs on Bulk WHOIS API. We discovered that all of them had current WHOIS records that allowed us to determine that:

• They were created between 2 August 2023 and 31 March 2025, leading us to infer that BlueNoroff did not discriminate in terms of domain age given that the attack was discovered on 11 June 2025.

  

• All of them were administered by Namecheap and registered in Iceland.

Next, we queried the seven domains identified as IoCs on DNS Chronicle API and found that all of them had historical domain-to-IP resolutions. All in all, they resolved to 45 IP addresses over time with the oldest resolution for awaitingfor[.]site to 162[.]255[.]119[.]131 recorded on 3 August 2023. Take a look at more details below.

We then sought to find out if any of the seven domains identified as IoCs have been dubbed “likely to turn malicious” as soon as they were created by querying them on First Watch. We discovered that three of them were found as such before they were reported as malicious to Huntress on 11 June 2025. Here are the details.

It is also worth noting these characteristics about the seven domains identified as IoCs:

• Three of them had the text string safe and sported either the gTLD .xyz or .online.
• One of them had the string zoom (the actual application target) and sported the gTLD .biz.

The Hunt for Connected Artifacts

After learning more about the IoCs, we moved on toward finding more connected artifacts. We began by querying the seven domains identified as IoCs on WHOIS History API. We learned that only one of them had email addresses in its historical WHOIS records. Specifically, the domain had two email addresses although only one was a public email address.

A Reverse WHOIS API query for the public email address from current WHOIS records did not turn up results. As such, we queried historical WHOIS records and obtained 16 email-connected domains after filtering out those already identified as IoCs.

Next, we queried the seven domains identified as IoCs on DNS Lookup API and discovered that six of them had current domain-to-IP resolutions. In particular, they resolved to six unique IP addresses.

A Threat Intelligence API query for the six IP addresses showed that they were all malicious. Take a look at three examples below.

We then queried the six IP addresses on Bulk IP Geolocation Lookup and found that they were all geolocated in the U.S. under the administration of Hostwinds.

After that, we queried the six IP addresses on Reverse IP API and discovered that all of them could be dedicated hosts. Altogether, they hosted 13 IP-connected domains after those already identified as IoCs and the email-connected domains were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.