Bluenoroff

Threat Actor updated 13 days ago (2024-11-08T12:27:03.264Z)
Download STIX
Preview STIX
BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious security incidents. The group, also known as Alluring Pisces or APT38, has targeted financial institutions, cryptocurrency businesses, and ATMs, demonstrating a high level of sophistication and multifaceted tactics. The group is also associated with other subgroups such as Andariel. In a recent escalation of their activities, BlueNoroff has developed and deployed malware written in the Rust programming language for the first time. Additionally, they've launched an elaborate phishing campaign aimed at startups, distributing malware designed to steal all cryptocurrency tied to a victim's device. To facilitate these activities, the group used Namecheap and hosting providers like Quickpacket, Routerhosting, and Hostwinds to set up crypto-themed infrastructure. SentinelLabs researchers have linked these activities to a campaign tracked as "Hidden Risk," which involves the use of fake cryptocurrency news emails and a malicious app disguised as a PDF. The year 2024 began with the detection of a new macOS Trojan named SpectralBlur, tentatively attributed to the BlueNoroff group. This marked another instance of the group targeting businesses in the crypto industry with multi-stage malware. Analysis of network infrastructure in the Hidden Risk campaign strengthens the attribution of this attack to BlueNoroff. This ongoing activity underscores the threat posed by BlueNoroff and highlights the need for robust cybersecurity measures, particularly for entities operating within the financial and cryptocurrency sectors.
Description last updated: 2024-11-07T19:01:55.309Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sapphire Sleet is a possible alias for Bluenoroff. Sapphire Sleet is a North Korea-linked Advanced Persistent Threat (APT) group known for its malicious activities. As a threat actor, Sapphire Sleet has been identified as the entity behind the execution of actions with harmful intent. The group's operations are sophisticated and persistent, targetin
3
Andariel is a possible alias for Bluenoroff. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som
3
Kandykorn is a possible alias for Bluenoroff. KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a
3
Stardust Chollima is a possible alias for Bluenoroff. Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
2
TA444 is a possible alias for Bluenoroff. TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other
2
Cryptocore is a possible alias for Bluenoroff. CryptoCore, also known as UNC1069, is a threat actor linked to the North Korea-associated Advanced Persistent Threat (APT) group, Sapphire Sleet. This group, alternatively referred to as APT38, BlueNoroff, CageyChameleon, and CryptoCore, operates as a subgroup of the notorious Lazarus APT group. The
2
Sockracket is a possible alias for Bluenoroff.
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Macos
Phishing
Backdoor
Windows
Apt
Jamf
Reconnaissance
Dropper
Korean
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Rustbucket Malware is associated with Bluenoroff. RustBucket is a malicious software (malware) specifically targeting macOS systems, first reported in 2023 and attributed to the North Korea-linked threat actor group, BlueNoroff. This malware was initially uncovered in 2021 as part of the RustBucket campaign and has since evolved into multiple variaUnspecified
5
The Objcshellz Malware is associated with Bluenoroff. ObjCShellz is a lightweight malware written in Objective-C, known for its advanced obfuscation features. Discovered by Jamf Threat Labs in November 2023, this malware operates as a relatively simple backdoor, serving as a remote shell that allows an attacker to execute arbitrary commands. It's typicUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT38 Threat Actor is associated with Bluenoroff. APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despiteis related to
4
The Lazarus Group Threat Actor is associated with Bluenoroff. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North Kis related to
4
The ScarCruft Threat Actor is associated with Bluenoroff. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery meUnspecified
2
The Rgb Threat Actor is associated with Bluenoroff. RGB is a notorious threat actor, primarily associated with North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency. This organization falls under the General Staff Bureau of the DPRK Korean People's Army and has been linked to numerous cyber-attacks against international enUnspecified
2
Source Document References
Information about the Bluenoroff Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
13 days ago
Securityaffairs
14 days ago
DARKReading
a month ago
Securelist
a month ago
Unit42
2 months ago
Securelist
6 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Krebs on Security
9 months ago
CERT-EU
10 months ago
Securityaffairs
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago