North Korean Cyber Group Targets Cryptocurrency Industry with ‘Hidden Risk’ Malware on MacOS

North Korean state-linked cyber espionage group BlueNoroff is escalating attacks against the cryptocurrency sector in particular through a MacOS-focused malware campaign, tracked as “Hidden Risk.” Identified by Sentinel Labs, this campaign involves high-end phishing tactics directed at MacOS users in various positions in cryptocurrency exchanges and DeFi platforms. However, this activity is part of a much bigger strategy by North Korean state-sponsored groups, mainly the Lazarus Group, to generate revenue through illicit means. Altogether, they have allegedly siphoned off around $3 billion across all sectors since 2017.

According to SentinelLabs’ research, BlueNoroff has recently shifted towards using malicious emails, purporting to be updates on cryptocurrency trends or even research reports, to deliver infected PDFs. Upon downloading these files, victims unwittingly trigger a series of malware stages that target their devices. The initial lure appears as legitimate news or research content related to cryptocurrency topics, tricking users into downloading a malicious application that imitates a PDF file. Once installed, this malware bypasses Apple’s built-in security checks, covertly opening a decoy document while simultaneously embedding a backdoor on the victim’s MacOS system.

Source: SentinelLabs

The malware’s multi-stage process grants hackers remote access to the infected machine, enabling them to monitor and control user activities and retrieve sensitive data, including private keys for digital wallets—a particularly valuable asset for those handling large volumes of cryptocurrency.

The “Hidden Risk” campaign diverges from BlueNoroff’s traditional methods of targeting victims through social media engagement. Historically, hackers would establish trust with individuals through prolonged interactions on platforms like LinkedIn or Twitter, often using fake profiles to appear credible. In the current campaign, BlueNoroff opts for a direct phishing strategy. The group now deploys emails that appear as urgent market updates or exclusive research findings on topics such as “Hidden Risk Behind New Surge of Bitcoin Price” or “Altcoin Season 2.0—The Hidden Gems to Watch.”

The attackers often impersonate known crypto industry figures or researchers, leveraging the names of real professionals in unrelated fields to further convince recipients of the emails’ authenticity. For instance, one phishing email cited a research paper from a University of Texas academic titled “Bitcoin ETF: Opportunities and Risks,” increasing the likelihood of recipients engaging with the email’s content.

One of the most concerning aspects of the “Hidden Risk” malware is its advanced evasion techniques. The malware is signed with genuine Apple Developer IDs, which allows it to bypass Apple’s Gatekeeper security mechanism, a feature intended to block untrusted software. Additionally, it leverages a rarely exploited feature in the macOS system, modifying the “zshenv” configuration file to maintain persistence. This technique avoids triggering Apple’s background alert notifications, making the malware difficult for users to detect and remove.

SentinelLabs’ research also revealed that hackers could potentially acquire or hijack valid Apple developer accounts, enabling them to repeatedly bypass macOS’s security features. This development poses a significant security threat to the industry, especially as many users in the crypto and financial sectors increasingly rely on macOS for daily operations.

To reinforce credibility, BlueNoroff has created an extensive network of infrastructure that mimics legitimate cryptocurrency and financial service providers. Domains linked to platforms such as Web3 and DeFi companies have been registered using reputable domain registrars, including Namecheap. The hackers also employ automated marketing tools to circumvent spam filters, ensuring that phishing emails reach their targets. Among the hosting providers involved are Quickpacket, Routerhosting, and Hostwinds, which BlueNoroff leverages to host its malicious infrastructure.

U.S. authorities have taken notice of North Korean cyber activities targeting the crypto industry. The Federal Bureau of Investigation has issued advisories to crypto companies, warning them of the escalated threat posed by North Korean-backed groups like BlueNoroff. In a recent bulletin, the FBI noted a rise in phishing schemes targeting workers on DeFi platforms, where hackers use lucrative job offers or investment opportunities to dupe victims into downloading malware.

BlueNoroff’s ongoing evolution in cyber tactics highlights a growing risk to the cryptocurrency industry. The shift from complex social media engagements to direct phishing emails represents an adaptive response to cybersecurity awareness and previous law enforcement crackdowns. By capitalizing on MacOS vulnerabilities and hijacking valid developer credentials, North Korean threat actors have refined their ability to infiltrate devices and extract sensitive financial data with minimal detection.

Cybersecurity experts recommend that crypto firms and individuals in the industry reinforce their security protocols. Steps such as scrutinizing unexpected email attachments, monitoring for unauthorized changes in system files, and promptly updating macOS can mitigate some of these threats. Firms are also encouraged to conduct regular security audits and educate their teams on identifying phishing schemes. With BlueNoroff’s continued focus on the crypto sector, robust cybersecurity practices are essential to safeguarding digital assets from increasingly advanced cyber threats.