North Korean hackers pose ‘Hidden Risk’ for crypto-related businesses

The North Korean threat actor, known as BlueNoroff, has been observed targeting cryptocurrency-related businesses with a new multi-stage malware designed specifically for macOS systems, in a campaign called ‘Hidden Risk’.

The attack chain begins with a phishing email containing crypto-related news and subjects, made to appear as if forwarded by a cryptocurrency influencer. The email contains a summary of an academic paper called ‘Bitcoin ETF: Opportunities and Risk’ which is a copy of a legitimate paper previously published by the University of Texas. The email contains a link to view the full paper, which leads to a BlueNoroff-controlled domain hosting an app called ‘The Hidden Risk behind new surge of Bitcoin Price’.

When a target downloads the app, which was signed with a legitimate but now revoked Apple developer ID, a hidden macOS malware payload installs, creating a persistent backdoor. This backdoor gives attackers access to the infected system by exploiting macOS security configurations, allowing remote command execution and data exfiltration.

Additionally, the notarized Apple developer credentials help bypass macOS's defenses, keeping the malware active and undetected on the device.

Be the first to know of emerging threats.

Sign up to get our analysts' insights on emerging cyberattacks, vulnerabilities, and more sent straight to your inbox.

Sign up

According to researchers, the campaign has been running for over a year. It’s use of direct phishing differs from North Korean hackers’ usual practice of approaching targets via social media to establish a certain level of trust before sending them the weaponized email.

Source: Bleeping Computer

Analysis

BlueNoroff is a subset of North Korea’s Lazarus Group particularly focused on financial theft and often targets cryptocurrency and blockchain-related entities. The group uses advanced phishing tactics, malware, and backdoor programs to monitor high-value targets over long periods, ultimately intercepting and altering cryptocurrency transactions to siphon funds. The group is known for its involvement in several high-profile heists, including exploiting financial institutions and cryptocurrency platforms in ways that often blend sophisticated cyber intrusion techniques with financial manipulation.

North Korea has of history of engaging in ransomware and other cybercriminal activities primarily to generate revenue critical for sustaining its government amid economic sanctions and limited global trade.

For example, in October 2024, Play ransomware was observed being deployed immediately after North Korea’s Reconnaissance General Bureau (RGB), codenamed Andariel, had infiltrated a victim’s network. Both Andariel’s initial access and the deployment of the Play ransomware was facilitated by the same compromised user credentials, suggesting the group either deployed the ransomware themselves, or acted as an initial access broker.

Either way, the incident demonstrates North Korean threat actors are willing to go further than simply conducting espionage activities in pursuit of revenue generation.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat groups such as BlueNoroff and Lazarus.

Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.

Related Articles

• North Korean hackers use new macOS malware against crypto firms
• North Korean hackers, posing as IT workers, extorting Western firms
• Lazarus targets aerospace and energy job seekers