BlueNoroff — the infamous North Korean hacker group responsible for a string of phishing and cybersecurity attacks since 2019 — is targeting crypto firms with a new malware that attacks MacOS computers.

According to a report from SentinelLabs, the malware operation nicknamed "Hidden Risk" is spread through PDF files in multiple stages. The threat actors use fake news headlines and legitimate crypto market research to lure in unsuspecting individuals and companies.

Once the user downloads the PDF file, a seemingly legitimate decoy PDF is downloaded and opened, while the malware downloads as a separate file on the MacOS desktop in the background.

This malware package contains a number of functions designed to give the hackers a backdoor to remotely access a victim's computer to steal sensitive information including private keys for digital asset wallets and platforms.

A map of the BlueNoroff exploit. Source: SentinelLabs

FBI issues warning about North Korean hackers

The United States Federal Bureau of Investigation (FBI) issued several warnings about BlueNoroff, the broader Lazarus hacking group, and other malicious actors with ties to the North Korean regime over the past several years.

In April 2022, the law enforcement agency and the Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm and advised crypto firms to take precautionary steps to mitigate the risks posed by the state-sanctioned hacking groups.

Following the warning, BlueNoroff initiated another phishing campaign in December 2022 targeting companies and banks. The threat actors created more than 70 fraudulent domain names designed to disguise the hackers as legitimate venture capital firms to gain access to the target victim's computers and steal funds.

More recently, in September 2024, the FBI revealed that the Lazarus Group was once again using social engineering schemes to steal crypto. The FBI explained that the hackers targeted employees at centralized exchanges and decentralized finance firms with fraudulent job offers.

The goal of the phishing operation was to build relationships with the target victims and foster trust. Once sufficient trust was established, the victims were directed to click a malicious link posing as employment tests and applications, which compromised their systems and drained any desktop wallets of funds.

Magazine: India mulls new crypto ban to support CBDC, Lazarus Group strikes again: Asia Express