Huntress was alerted to the recent BlueNorroff attack when an end-user reported potentially downloading a malicious Zoom extension on 11 June 2025. As it turned out, the malware came disguised as a Calendly meeting invite from a supposed contact sent via Telegram.