Inside the BlueNoroff Web3 macOS Intrusion Analysis
Essential information
- Published
- 19/06/2025 07:38
- Modified
- 23/06/2025 20:19
- Tags
- 2025-06-19 apt cryptobot cryptocurrency dprk injectwithdyld macos process injection root troy v4 social engineering stealer telegram 2 web3 xscreen
- Related entities
- 18 observables, 1 intrusion sets (apt), 16 techniques (mitre), 1 others
Description
A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom extension. The intrusion involved multiple stages of malware deployment, including persistent implants, backdoors, keyloggers, and cryptocurrency stealers. The attackers utilized advanced techniques such as process injection on macOS and leveraged various tools to collect sensitive information, particularly focusing on cryptocurrency-related data. The analysis covers the initial access vector, technical details of the malware components, and their functionalities, providing insights into the evolving tactics of state-sponsored threat actors targeting macOS systems.