A threat actor linked to North Korea has been observed deploying advanced malware designed to compromise cryptocurrency-related businesses in a targeted attack campaign dubbed ‘Hidden Risk’. The campaign, detected and analyzed by the SentinelLabs cybersecurity team, involves a multi-stage malware that infects Apple macOS devices.

The malicious activity has been attributed to BlueNoroff, a threat actor with a history of conducting financially motivated cyberattacks. The group has previously been associated with multiple malware strains, including RustBucket, KANDYKORN, ObjCShellz, RustDoor (Thiefbucket), and TodoSwift.

The most recent campaign likely began in July 2024, using highly customized social engineering tactics. The attackers are using phishing emails that feature fake news headlines about cryptocurrency trends. These emails contain a malicious dropper disguised as a PDF file, tricking users into opening them.

The BlueNoroff threat actors masquerade as job recruiters or corporate investors to gain the trust of their targets over time before deploying malware.

The analysis revealed that the dropper, which is written in the Swift programming language, was signed and notarized with a legitimate Apple developer ID on October 19, 2024. Apple has since revoked this signature.

Once launched, the application opens a decoy PDF from Google Drive to divert attention while simultaneously downloading a second-stage executable from a remote server. The executable, an unsigned Mach-O x86-64 binary, acts as a backdoor, allowing remote commands to be executed on the victim's machine.

The Hidden Risk malware modifies the macOS zshenv configuration file, a technique that has not been previously observed in the wild. This enables the malware to bypass Apple’s user notification system, which was introduced in macOS 13 Ventura to alert users of unauthorized background processes, often targeting LaunchAgents and LaunchDaemons.

BlueNoroff has also established an extensive online infrastructure that uses domains and hosting services associated with cryptocurrency and Web3 investments. According to researchers, domains registered through Namecheap and hosted by providers such as Quickpacket, Routerhosting, and Hostwinds were utilized in this campaign.

The campaign has some overlaps with a previous campaign identified in August 2024 by endpoint management firm Kandji. In that campaign, a similar macOS dropper app was used to deploy the TodoSwift malware, which targets cryptocurrency-related companies.