Bluenoroff

Threat Actor updated 4 days ago (2024-09-10T04:17:44.386Z)
Download STIX
Preview STIX
BlueNoroff, a threat actor closely associated with the Lazarus hacking group, has been identified as a significant cybersecurity risk. Known for their financially motivated attacks, BlueNoroff targets banks, casinos, fintech companies, POST software and cryptocurrency businesses, and ATMs. They have also developed elaborate phishing campaigns targeting startups and distributing malware to steal cryptocurrency. In December 2023, Kaspersky highlighted their activities, noting that they are a subgroup of the North Korean state-sponsored Lazarus group. In 2024, BlueNoroff's activities evolved with the introduction of new malicious tools. For the first time, the group utilized Rust for its malware development, resulting in the creation of a macOS malware dubbed "RustBucket." Additionally, a new backdoor named SpectralBlur was detected, tentatively attributed to BlueNoroff. This malware showed similarities to the KANDYKORN (aka SockRacket) family, previously linked to this group. The group's focus on financial institutions and cryptocurrency-related businesses is particularly concerning. Their malware campaigns have successfully infiltrated these sectors, leading to significant financial losses. The security firm Jamf observed BlueNoroff using the new RustBucket malware specifically to target these entities. Furthermore, the ObjCShellz malware campaign shares similarities with RustBucket, indicating a sustained effort by BlueNoroff to exploit vulnerabilities within these industries.
Description last updated: 2024-09-10T03:18:12.366Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sapphire Sleet
3
Sapphire Sleet is a North Korea-linked Advanced Persistent Threat (APT) group known for its malicious activities. As a threat actor, Sapphire Sleet has been identified as the entity behind the execution of actions with harmful intent. The group's operations are sophisticated and persistent, targetin
Kandykorn
3
KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a
Andariel
2
Andariel, also known as Jumpy Pisces and Onyx Sleet, is a threat actor primarily involved in cyberespionage and ransomware activities. Originating from North Korea, this group has been linked to several malicious cyber activities alongside other groups like Lazarus Group and Bluenoroff. The group's
Stardust Chollima
2
Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
TA444
2
TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other
Cryptocore
2
CryptoCore, also known as UNC1069, is a threat actor linked to the North Korea-associated Advanced Persistent Threat (APT) group, Sapphire Sleet. This group, alternatively referred to as APT38, BlueNoroff, CageyChameleon, and CryptoCore, operates as a subgroup of the notorious Lazarus APT group. The
Sockracket
2
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Macos
Phishing
Windows
Backdoor
Apt
Jamf
Reconnaissance
Dropper
Korean
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
RustbucketUnspecified
5
RustBucket is a malicious software (malware) campaign that was first reported in 2023 and has been attributed to the BlueNoroff group, which was initially discovered in 2021. This malware specifically targets macOS systems and is considered a later-stage variant of the original RustBucket malware du
ObjcshellzUnspecified
2
ObjCShellz is a lightweight malware written in Objective-C, known for its advanced obfuscation features. Discovered by Jamf Threat Labs in November 2023, this malware operates as a relatively simple backdoor, serving as a remote shell that allows an attacker to execute arbitrary commands. It's typic
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT38is related to
4
APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite
Lazarus Groupis related to
4
The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated
ScarCruftUnspecified
2
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
RgbUnspecified
2
RGB is a threat actor group, part of North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency under the General Staff Bureau of the Korean People's Army. Over the years, the RGB has revealed at least six threat groups, including Andariel, also known as Onyx Sleet, formerly P
Source Document References
Information about the Bluenoroff Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
4 days ago
Threat Assessment: North Korean Threat Groups
Securelist
3 months ago
Non-mobile malware statistics, Q1 2024
CERT-EU
6 months ago
Calendar Meeting Links Used To Spread Mac Malware - Slashdot
CERT-EU
7 months ago
Hackers Exploit Calendly Links to Spread Malware on macOS
Krebs on Security
7 months ago
Calendar Meeting Links Used to Spread Mac Malware
CERT-EU
8 months ago
Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
Securityaffairs
8 months ago
Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
CERT-EU
9 months ago
New JaskaGO Malware Targets Mac and Windows for Crypto, Browser Data
CERT-EU
9 months ago
Lazarus Group Exploits Log4j Flaw in New Malware Campaign
CERT-EU
9 months ago
Is macOS as secure as its users think?
CERT-EU
9 months ago
BlueNoroff: New Malware Attacking MacOS Users
CERT-EU
9 months ago
U.S. Treasury Sanctions Eight Foreign-Based Agents and North Korean Kimsuky Attackers
CERT-EU
9 months ago
BlueNoroff: new Trojan attacking macOS users – GIXtools
CERT-EU
9 months ago
New BlueNoroff loader for macOS
CERT-EU
9 months ago
North Korea's state hackers stole $3 billion in crypto since 2017
CERT-EU
9 months ago
Kimsuky hacking group faces US sanctions
DARKReading
10 months ago
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks
CERT-EU
10 months ago
UK, South Korea Warn of North Korea Supply-Chain Attacks
CERT-EU
10 months ago
Microsoft: Lazarus hackers breach CyberLink in supply chain attack
CERT-EU
10 months ago
North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns