Bluenoroff Threat Actor Intelligence Profile

Tracking started: a year ago, last updated: Fri Mar 22 2024, uuid: a6566669-591a-4ab7-b704-5f93cb4668ed

Bluenoroff Description

Generated from Cybergeist context a month ago. This description is learned via the associations below
BlueNoroff, a subgroup of the Lazarus hacking group, is identified as a significant threat actor by cybersecurity firms such as Kaspersky Labs. This North Korean state-sponsored entity primarily targets financial institutions, including banks, casinos, fintech companies, and cryptocurrency businesses. Their activities also extend to point-of-sale (POST) software and ATMs. The group is financially motivated and has been linked to substantial thefts, notably the stealing of $400 million in cryptocurrency. In December 2023, BlueNoroff expanded its attack methodologies by developing and deploying malware written in Rust, marking the first instance of the group using this programming language for malicious purposes. Furthermore, they have been reported to target macOS users specifically, posing a significant threat to this demographic. The group also devised an elaborate phishing campaign aimed at startups, distributing malware capable of stealing all cryptocurrency tied to the compromised device. The malware used by BlueNoroff shows similarities with the KANDYKORN (also known as SockRacket) malware family, which has been previously attributed to this same group. Additionally, cybersecurity firm SlowMist confirmed that the malware downloaded via a malicious link in one of their investigations was traced back to BlueNoroff. These findings further underscore the sophistication and persistence of this threat actor in carrying out cyber attacks and financial thefts on a global scale.
Bluenoroff STIX 2.1 Package Preview
STIX package updated a month ago
aliasaliasaliasaliasaliasaliasrelated-torelated-torelated-torelated-toCERT-EUKrebs on SecuritySecurityaffairsCybergeistobjcshellzsockracketrustbucketkandykornExperts spotted a new macOS Backdoor named SpectralBlur linked to North KoreaExperts spotted a new macOS Backdoor named SpectralBlur linked to North KoreaCalendar Meeting Links Used To Spread Mac Malware - SlashdotCalendar Meeting Links Used to Spread Mac MalwareHackers Exploit Calendly Links to Spread Malware on macOSBluenoroffLazarusStardust Chollimasapphire sleetTA444cryptocoreAndariel

Bluenoroff Association List

The following associations have been automatically determined. Expand the row to see evidence. Votes are automatically added when the same assertion is recorded from different sourced, or updated by human users.
Associated Object
Association Type
Threat Classunspecified
Lazarus Group
Threat ActorrelatedTo
Threat Classunspecified
Threat ActorrelatedTo
Threat Classunspecified
Relevance to PIRs (disabled)
Priority Intel Requirements
Information about why this intelligence profile is relevant to your requirements would be displayed here. Create an account to get started.
Context provided by 9 Sources
Checkpoint Research
Krebs on Security
BankInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG)
MITRE began in 1958, sponsored by the U.S. Air Force to bridge across the academic research community and industry to architect the Semi-Automatic Ground Environment, or SAGE, a key component of Cold War-era air defense.
Comments (disabled)
Log in to view comments

Recent statements about Bluenoroff

Recent statements allow a quick snapshot for understanding how this object is evolving. Click the row to see the full report context
Statement Text
Earlier this week, Jamf Threat Labs' security researchers linked BlueNoroff to new ObjCShellz macOS malware used to backdoor targeted Macs by...(read more)
North Korea-linked BlueNoroff hackers, believed to be a subgroup of the Lazarus cybercrime cluster, have been observed targeting Apple Mac devices with a new macOS malware family called “RustBucket.” “[RustBucket] communicates with command and contro...(read more)
Earlier this month, Microsoft warned that the infamous Lazarus Group sub-cluster referred to as Sapphire Sleet more)
Such an approach represents a departure from BlueNoroff's direct or link-based distribution of malicious payloads hosted on GitHub and other legitimate websites, which may have stemmed from online services' accelerated identification and removal of m...(read more)
BlueNoroff, unlike other constituent entities of the Lazarus Group, is known for its sophisticated cyber-enabled heists targeting the SWIFT...(read more)
BlueNoroff APT Targeting macOS with ObjCShellz Malware
The threat intelligence company also found that BlueNoroff set up many typosquatting domains that mimicked the genuine domains of "entities involved in fund management and venture fund, crypto assets and blockchain, located in Europe, Asia and North ...(read more) They call the gang BlueNoroff.
"A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs," Kaspersky wrote ...(read more)
The experts noticed that the ObjCShellz malware shares similarities with the RustBucket malware campaign associated with the BlueNoroff more)
“Each sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not necessarily working in full coordination.” Andariel a Long-Time Threat Andariel has been around since at least 2009 and in 2019 was sanctio...(read more)
Despite this, Jamf is confident that the malware belongs to BlueNoroff.
“Although fairly simple, this malware is still very functional and will help attackers carry out their objectives. This seems to be a theme with the latest malware we’ve seen coming from this APT group,” Saljooki wrote. “Based on previous attacks per...(read more)
The attacks, carried out by the BlueNoroff group and detected by us in 2022 were aimed primarily at FinTech companies working with cryptocurrency.
The North Korean-backed BlueNorOff threat group targets Apple customers with new macOS malware tracked as ObjCShellz that can open remote shells on compromised devices.
Related Novel social engineering attack infrastructure established by BlueNoroff SC Staff Novembe...(read more)
“Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering. Jamf Threat Labs tracks this malware as ObjCShellz and as part of the RustBucket campaign...(read more)
"The usage of this domain greatly aligns with the activity we've seen from BlueNorOff in what Jamf Threat Labs tracks as the Rustbucket campaign," the security researchers said more)
In December 2022, Kaspersky researchers reported that BlueNoroff is targeting cryptocurrency-related financia...(read more)
FBI also attributed the largest crypto hack ever, the hack of Axie Infinity's Ronin network bridge more)
Documents discussing Bluenoroff
Relevance score is determined via Machine Learning, to identify what documents could be most valuable to read
Created At
Title (Open original source)
a year ago
Lazarus Under The Hood
a year ago
Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups
a year ago
North Korea-linked BlueNoroff is behind RustBucket Mac Malware
a year ago
North Korea's BlueNoroff Group Targets macOS Systems
a year ago
North Korean Hackers Target Mac Users With New ‘RustBucket’ Malware
5 months ago
Lazarus-Linked BlueNoroff APT Targets macOS with ObjCShellz Malware
5 months ago
BlueNoroff hackers backdoor Macs with new ObjCShellz malware
a year ago
Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware
a year ago
North Korea-linked BlueNoroff APT is behind the new RustBucket Mac Malware | IT Security News
5 months ago
Microsoft: BlueNoroff hackers plan new crypto-theft attacks
3 months ago
Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
5 months ago
North Korea's BlueNoroff APT Debuts 'Dumbed Down' macOS Malware
9 months ago
Experts detected a new variant of RUSTBUCKET macOS malware
5 months ago
North Korea-linked APT BlueNoroff used new macOS malware ObjCShellz
5 months ago
North Korea-linked BlueNoroff's macOS malware variant targets financial firms
a year ago
North Korean hackers target Mac devices with RustBucket malware
a year ago
Северокорейские хакеры BlueNoroff плотно взялись за компьютеры и ноутбуки Apple в своих последних атаках
5 months ago
New MacOS Malware Linked to North Korean Hackers
5 months ago
Beware of BlueNoroff: Mac users targeted with new malware variant - 9to5Mac
5 months ago
North Korea-linked APT Sapphire Sleet targets IT job seekers
Associated Indicators (126)
Log in / sign up to view IoCs