threatintel
actor tracker
All actors

BlueNoroff

bluenoroff · primary source: MITRE · first observed 2013
KP · DPRKState-sponsoredHigh confidencelast cited Oct 31, 2023 · 3y ago

DPRK state-sponsored intrusion set treated by most vendors as the financial-operations subgroup of Lazarus, attributed to the Reconnaissance General Bureau. Responsible for the major SWIFT-network bank heists (Bangladesh Bank 2016, Bancomext / Banco de Chile 2018) and an escalating series of cryptocurrency thefts including the 2022 Ronin Bridge ($625M), 2022 Harmony Horizon Bridge ($100M), and 2024 DMM Bitcoin ($308M) compromises. Operations frequently start with LinkedIn-delivered fake-job lures to engineers at wallet, exchange, or DeFi targets.

Aliases

APT38MandiantStardust ChollimaCrowdStrikeSapphire SleetMicrosoftCOPERNICIUMMicrosoftTraderTraitorOther

Motivations

financial gain

Target sectors

financialcryptocurrencydefiventure capital

Target countries

USJPKRGBDESGVN

Lineage & relationships

full graph →
Subgroup ofBlueNoroffthis actorLazarus GroupKPAPT
Subgroup of
Lazarus Group

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • BlueNoroff
  • DPRK
  • financial gain
Capability
Infrastructure
  • tp-globa.xyz
  • cloud.dnx.capital
Victim
  • financial
  • cryptocurrency
  • defi
  • US
  • JP
  • +1 more

MITRE ATT&CK techniques

T1566.003T1078.004T1041T1059.001

Timeline

5 events
  1. ReportHigh2023-11-01·Elastic Security Labs

    Elastic Security Labs exposes KANDYKORN macOS intrusion at crypto exchange

    Elastic Security Labs published 'Elastic catches DPRK passing out KANDYKORN,' describing a Lazarus-cluster intrusion (tracked as REF7001) against blockchain engineers at a cryptocurrency exchange. Operators impersonated community members on Discord and delivered a Python 'arbitrage bot' that staged the SUGARLOADER and HLOADER components and ultimately deployed the KANDYKORN backdoor for remote command execution and file operations.

    macoskandykorncryptocurrencydiscord
  2. ReportHigh2023-04-21·Jamf Threat Labs

    Jamf Threat Labs discloses RustBucket macOS malware tied to BlueNoroff

    Jamf Threat Labs published analysis of RustBucket, a multi-stage macOS malware family attributed to BlueNoroff. The infection chain begins with a backdoored 'Internal PDF Viewer' application that only activates malicious behaviour when a specifically crafted decoy PDF is opened, then retrieves a Rust-based stage-three payload for reconnaissance and follow-on operations against finance-sector targets in Asia, Europe, and the United States.

    macosrustbucketmalware-reportfinance
  3. AdvisoryHigh2022-04-18·CISA

    CISA/FBI/Treasury joint advisory AA22-108A on TraderTraitor

    FBI, CISA, and the U.S. Treasury issued joint advisory AA22-108A warning that a DPRK state-sponsored APT tracked as Lazarus, APT38, BlueNoroff, and Stardust Chollima was targeting blockchain firms with trojanised cryptocurrency trading applications collectively named TraderTraitor. The malware family is built on cross-platform Electron/Node.js code, delivered through spearphishing that mimics recruiter outreach to DevOps and IT staff at crypto exchanges and DeFi protocols.

    advisorycryptocurrencytradertraitordprk
  4. ReportHigh2022-01-13·Kaspersky (Securelist)

    Kaspersky exposes SnatchCrypto campaign draining cryptocurrency startups

    Kaspersky published 'The BlueNoroff cryptocurrency hunt is still on,' detailing a multi-year campaign dubbed SnatchCrypto in which BlueNoroff impersonated venture capital firms to spearphish fintech, DeFi, and blockchain startups. The actor used weaponised Office documents and LNK files, surveilled victims for weeks, and in high-value cases swapped the MetaMask browser extension with a trojanised build to alter outgoing transactions at signing time.

    cryptocurrencyspearphishingmetamasksnatchcrypto
  5. CompromiseCritical2017-04-03·Kaspersky (Securelist)

    Securelist 'Lazarus Under the Hood' details Bangladesh Bank SWIFT heist

    Kaspersky's Global Research and Analysis Team published technical analysis tying the February 2016 fraudulent SWIFT transfers from Bangladesh Bank's New York Federal Reserve account — through which attackers moved roughly $81 million — to the Lazarus cluster's financial subgroup later widely tracked as BlueNoroff / APT38. The report documents shared tooling, infrastructure, and operator tradecraft across attacks on banks in multiple countries.

    financialswiftbank-heistdprk

Indicators of compromise

3 indicators
csv
TypeValueFirst seenSource
SHA-256
927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6
family · KANDYKORN
SHA-256 of the KANDYKORN macOS backdoor staged via SUGARLOADER in the Elastic-tracked REF7001 intrusion against a cryptocurrency exchange. Capabilities include arbitrary command execution, file upload/download, directory listing, and secure deletion.
Oct 31, 2023Elastic Security Labs
Domain
tp-globa[.]xyz
family · KANDYKORN
Command-and-control domain used by the SUGARLOADER stage of the KANDYKORN intrusion chain; identified in Elastic Security Labs' REF7001 report on the DPRK macOS campaign against blockchain engineers.
Oct 31, 2023Elastic Security Labs
Domain
cloud[.]dnx[.]capital
family · RustBucket
C2 domain associated with the RustBucket macOS malware family attributed to BlueNoroff in Jamf Threat Labs' April 2023 disclosure. The malware was delivered via a backdoored 'Internal PDF Viewer' application targeting finance-sector users.
Apr 20, 2023Jamf Threat Labs

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). BlueNoroff — actor profile. Retrieved from https://threatintel.local/actors/bluenoroff

latest cited activity · 2023-11-01 · 3 cataloged indicators