A new form of macOS malware is being used by devious North Korean hackers

Hacker silhouette working on a laptop with North Korean flag on the background
(Image credit: Getty Images)

  • BlueNoroff seen targeting crypto businesses with new piece of malware
  • The malware establishes persistence and opens up a back door
  • It can download additional payloads, run Shell commands, and more

Devious North Korean state-sponsored threat actors known as BlueNoroff have been spotted deploying a brand new piece of malware to attack their victims.

Cybersecurity researchers SentinelLabs sounded the alarm on the new campaign, noting BlueNoroff is a subgroup of Lazarus, an infamous North Korean organization that mostly targets cryptocurrency businesses and individuals in the West. It is attributed with some of the biggest crypto heists in history.

Usually, the group would “groom” their victims on social media, before deploying any malware. In this campaign, however, they’ve decided for a more direct approach.

Hidden Risk

As SentinelLabs explains, BlueNoroff targets its victims, mostly crypto businesses, with a phishing email seemingly forwarded from a crypto influencer.

The email contains fake news about the latest developments in the cryptocurrency sector, in the form of a .PDF file that redirects victims to a website under the attackers’ control. That website will sometimes serve a benign Bitcoin ETF document, and sometimes a malicious file called “Hidden Risk Behind New Surge of Bitcoin Price.app”.

The name is taken from a genuine academic paper from the University of Texas, the researchers added. The entire campaign is thus named “Hidden Risk”.

The malware comes in multiple stages. The first stage is a dropper app, signed with a valid Apple Developer ID, which was revoked in the meantime. This dropper will download a decoy PDF file which should keep the victim busy while the second-stage payload is deployed in the background.

This payload is called “growth”, and its goal is to establish persistence and open up a back door to the infected device. It only works on macOS devices, running on Intel or Apple silicon, with the Rosetta emulation framework. The final stage is to check in with the C2 server for new commands every minute, which include downloading and running additional payloads, running shell commands, or terminating the process.

The campaign has been active for at least a year, the researchers said.

Via BleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
A digital representation of a lock
Looking for a new job? Watch out you don't fall for this new malware scam
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Image of laptop infected with malware threat
This devious new macOS malware disguises itself as Chrome, Zoom installers
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI