North Korean state-sponsored group BlueNoroff, a subgroup of the Lazarus Group, has launched a new malware campaign called "Hidden Risk," targeting cryptocurrency and DeFi businesses. SentinelLabs researchers found that the campaign, active since July 2024, employs phishing emails and PDF-based lures with fake crypto news headlines to trick victims into clicking on malicious links.

These links download a disguised Swift-based Mac application signed in October 2024, which poses as a PDF reader but installs a backdoor malware named “growth” on both Intel and Apple silicon machines. This malware collects system data, communicates with attacker-controlled servers, and persists by modifying the Zsh configuration file, ensuring its execution upon startup.

The attack shows BlueNoroff's strategic shift to more sophisticated tactics, including using notarized developer accounts to bypass Apple's security. The campaign’s infrastructure overlaps with previously linked BlueNoroff operations, using services like NameCheap and Quickpacket for hosting, and shares a User-Agent string with their “RustBucket” malware. To stay protected, cryptocurrency businesses and macOS users should scrutinize email sources and avoid downloading unknown attachments or applications. Remaining vigilant is crucial as North Korean-backed groups continue to evolve their malware campaigns, posing significant threats to the cryptocurrency sector.