{ "id": "a04136f8-2217-4eba-864f-95d23e9881c3", "created_at": "2026-04-06T00:10:44.416842Z", "updated_at": "2026-04-10T03:35:51.216988Z", "deleted_at": null, "sha1_hash": "69d206c444ba7b11ad515448394172916ac6c6e8", "title": "BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7590405, "plain_text": "BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake\r\nCrypto News and Novel Persistence\r\nBy Raffaele Sabato, Phil Stokes \u0026 Tom Hegel\r\nPublished: 2024-11-07 · Archived: 2026-04-05 13:51:37 UTC\r\nExecutive Summary\r\nSentinelLABS has observed a suspected DPRK threat actor targeting Crypto-related businesses with novel\r\nmulti-stage malware.\r\nWe assess with high confidence that the same actor is responsible for earlier attacks attributed to\r\nBlueNoroff and the RustDoor/ThiefBucket and RustBucket campaigns.\r\nSentinelLABS observed the use of a novel persistence mechanism abusing the Zsh configuration file\r\nzshenv .\r\nThe campaign, which we dubbed ‘Hidden Risk’, uses emails propagating fake news about cryptocurrency\r\ntrends to infect targets via a malicious application disguised as a PDF file.\r\nOverview\r\nCryptocurrency-related businesses have been targets of North Korean-affiliated threat actors for some time now,\r\nwith multiple campaigns aiming to steal funds and/or insert backdoor malware into targets. In April 2023,\r\nresearchers detailed an APT campaign targeting macOS users with multi-stage malware that culminated in a Rust\r\nbackdoor capable of downloading and executing further malware on infected devices. ‘RustBucket’, as they\r\nlabeled it, was attributed with strong confidence to the BlueNoroff APT. In May 2023, ESET researchers\r\ndiscovered a second RustBucket variant targeting macOS users, followed by Elastic’s discovery in July that year\r\nof a third variant that included a LaunchAgent for persistence. In November 2023, Elastic also reported on another\r\nDPRK campaign targeting blockchain engineers of a crypto exchange platform with KandyKorn malware. Further\r\nanalysis by SentinelLABS was able to connect the KandyKorn and RustBucket campaigns.\r\nIn early September 2024, the FBI began warning that North Korea was conducting “highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance (“DeFi”), cryptocurrency, and\r\nsimilar businesses to deploy malware and steal company cryptocurrency”. Researchers from Jamf subsequently\r\nfollowed up on this report a few weeks later detailing an attack attempt that deployed malware masquerading as a\r\nVisual Studio updater.\r\nIn October 2024, SentinelLABS observed a phishing attempt on a crypto-related industry that delivered a dropper\r\napplication and a payload bearing many of the hallmarks of these previous attacks. We believe the campaign likely\r\nbegan as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related\r\ntopics. We dubbed this campaign ‘Hidden Risk’ and detail its operation and indicators of compromise below,\r\nincluding the use of a novel persistence mechanism abusing the zshenv configuration file.\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 1 of 15\n\nInfection Vector\r\nInitial infection is achieved via phishing email containing a link to a malicious application. The application is\r\ndisguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge\r\nof Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi,\r\nCeFi”.\r\nThe emails hijack the name of a real person in an unrelated industry as a sender and purport to be forwarding a\r\nmessage from a well-known crypto social media influencer. In the case of the ‘Hidden Risk’ pdf, the threat actors\r\ncopied a genuine research paper entitled ‘Bitcoin ETF: Opportunities and risk’ by an academic associated with the\r\nUniversity of Texas and hosted online by the International Journal of Science and Research Archive (IJSRA).\r\nThe fake PDF displayed to targets (left) and the original source document hosted online (right)\r\nUnlike earlier campaigns attributed to BlueNoroff, the Hidden Risk campaign uses an unsophisticated phishing\r\nemail that does not engage the recipient with contextually-relevant content, such as reference to personal or work-related information.\r\nAlso of note is that the sender domain in our observed incident, kalpadvisory[.]com , has been noted for\r\nspamming among online communities involved in the Indian stock market.\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 2 of 15\n\nSocial media users complain about spam calls from Kalp Advisory\r\nThe ‘open’ link in the phishing email hides a URL to another domain, delphidigital[.]org . The full URL\r\ncurrently serves a benign form of the Bitcoin ETF document with titles that differ over time. However, at some\r\npoint, this URL has or does switch to serving the first stage of a malicious application bundle entitled ‘Hidden\r\nRisk Behind New Surge of Bitcoin Price.app’ ( 3f17c5a7d1e7fd138163d8039e614b8a967a56cb ).\r\nApplication icon for the Stage 1 dropper\r\nFirst Stage | “Bait and Switch” Dropper Application Replaces PDF\r\nThe first stage is a Mac application written in Swift displaying the same name as the expected PDF, “Hidden Risk\r\nBehind New Surge of Bitcoin Price.app”. The application bundle has the bundle identifier Education.LessonOne\r\nand contains a universal architecture (i.e., arm64 and x86-64) Mach-O executable named LessonOne .\r\nThe application bundle was signed and notarized on 19 October, 2024 with the Apple Developer ID “Avantis\r\nRegtech Private Limited (2S8XHJ7948)”. The signature has since been revoked by Apple.\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 3 of 15\n\nCode signing details for the Hidden Risk Behind New Surge of Bitcoin Price.app\r\nOn launch, the application downloads the decoy “Hidden Risk” pdf file from a Google Drive share and opens it\r\nusing the default macOS PDF viewer (typically Preview). Similar TTPs were previously reported by researchers at\r\nKandji in August. The PDF is written into a temporary file before being moved to /Users/Shared using\r\nNSFileManager’s moveItemAtURL:toURL:error method.\r\nThe malware then downloads and executes a malicious x86-64 binary sourced from matuaner[.]com via a URL\r\nhard-coded into the Stage 1 binary. Since by default macOS won’t allow an application to download from an\r\ninsecure HTTP protocol, the application’s Info.plist specifies this domain in the dictionary for its\r\nNSAppTransportSecurity key and sets the NSExceptionAllowsInsecureHTTPLoads value to “true”.\r\nThe Stage 1’s Info.plist adds the C2 domain as an exception for Apple’s App Transport Security\r\nsettings\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 4 of 15\n\nThe Info.plist also indicates that the application was built on a macOS 14.2 Sonoma machine but will run on\r\nboth Intel and Apple silicon Macs with macOS 12 Monterey or later.\r\nSecond Stage | ‘growth’ x86-64 Mach-O Backdoor\r\nThe malicious binary downloaded by the first stage dropper is a single architecture Mach-O x86-64 executable\r\n( 7e07765bf8ee2d0b2233039623016d6dfb610a6d ), meaning that although the parent dropper will execute on both\r\nIntel and Apple silicon machines, the Stage 2 will only run on Intel architecture Macs or Apple silicon devices\r\nwith the Rosetta emulation framework installed. The binary, written in C++, has the name ‘growth’, weighs in at\r\naround 5.1 MB and is not code signed at all (SentinelLABS was able to share the file for researchers here).\r\nThe executable contains a number of identifiable functions, which we outline below, with the overall objective\r\nbeing to act as a backdoor to execute remote commands.\r\nSome interesting functions in the ‘growth’ binary\r\nOn execution, the ‘growth’ binary performs the following actions.\r\n1. Calls the sym.install_char__char_ function to install persistence. We discuss this in the next section.\r\n2. Runs several commands to gather environmental information from the host and generate a random UUID\r\nof length 16. These commands include sw_vers ProductVersion , sysctl hw.model and sysctl\r\nkern.boottime .\r\n3. Calculates the current date and time and performs ps aux to list running processes.\r\n4. Sends the string “ci”, the random UUID and the gathered host data to a remote server using the DoPost\r\nfunction and awaits the C2 response.\r\n5. Uses the ProcessRequest function to parse the response. If the first byte in the response is 0x31, it sends\r\nthe string “cs”, the random UUID and the value -1 using DoPost and exits. If the first byte in the response\r\nis 0x30, it executes the SaveAndExec function, sends the string “cs”, the random UUID and the value 0\r\nusing DoPost . The SaveAndExec function reads the C2 response, parses it, saves it into a random, hidden\r\nfile at /Users/Shared/.XXXXXX , and executes it.\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 5 of 15\n\nThe ProcessRequest function parses the C2 response\r\n6. Sleeps for 60 seconds and starts the flow again from step 3.\r\nThe DoPost function is used to make the HTTP Post request to the C2 using libcurl . The first argument is the\r\nC2 URL, the second argument is the data sent in the body of the POST request, and the third argument is the data\r\npointer passed to the write callback.\r\nThe DoPost function constructs and sends the HTTP request\r\nWe have previously noted that this same User-Agent string, mozilla/4.0 (compatible; msie 8.0; windows nt\r\n5.1; trident/4.0) , appeared in RustBucket malware in 2023. The User-Agent string also uses cur1-agent\r\n(using a 1 in place of the l in “curl”) as reported by Elastic, a fairly unique indicator we have not observed\r\nelsewhere.\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 6 of 15\n\nWe also see similarities in the way that earlier malware parsed the response from the C2, essentially comparing\r\none of two values as decision logic between awaiting further response, exiting or reading and writing a remote\r\ncommand to file. The ProcessRequest function used for this purpose was also the name of an ObjCShellz\r\npayload observed in a previous campaign.\r\nThe SaveAndExec function is responsible for executing any commands received from the C2. This function takes\r\ntwo parameters, the payload received and the length of the payload. The function parses the malicious payload and\r\ncalculates indices related to the presence of the characters “#” and the “:”, receiving data from the C2 in the form\r\n0#\\0:command .\r\nSaveAndExec function parses the received script for embedded commands\r\nBased on the calculated indices, it creates a random file name of length 6 and writes the received command as a\r\nhidden file to /Users/Shared/.%s . It then uses chmod 0x777 to set the permissions of the file to world read,\r\nwrite and execute, and finally executes it via popen .\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 7 of 15\n\nThe SaveAndExec function changes the file’s permissions and then executes it\r\nPersistence via Zshenv\r\nThe backdoor’s operation is functionally similar to previous malware attributed to this threat actor, but what\r\nmakes it especially interesting is the persistence mechanism, which abuses the Zshenv configuration file.\r\nZshenv is one of several optional configuration files used by the Zsh shell. At the user level, it sits as a hidden file\r\nin the Home directory, ~/.zshenv . A system wide version can also be located at /etc/zshenv . If it exists, the\r\nfile is sourced for all Zsh sessions, including interactive and non-interactive shells, non-login shells and scripts. It\r\nis also read before all other Zsh startup files.\r\nInterestingly, previous malware samples used by the same threat actor have referenced zsh_env in their naming\r\nconvention, but not actually used the mechanism. In an earlier campaign, BlueNoroff used the ~/.zshrc config\r\nfile to achieve persistence. However, this is a less reliable form of persistence since the file is only sourced when a\r\nuser launches an interactive Terminal session or subsession from an existing console.\r\nInfecting the host with a malicious Zshenv file allows for a more powerful form of persistence. While this\r\ntechnique is not unknown, it is the first time we have observed it used in the wild by malware authors. It has\r\nparticular value on modern versions of macOS since Apple introduced user notifications for background Login\r\nItems as of macOS 13 Ventura. Apple’s notification aims to warn users when a persistence method is installed,\r\nparticularly oft-abused LaunchAgents and LaunchDaemons. Abusing Zshenv, however, does not trigger such a\r\nnotification in current versions of macOS.\r\nIn the binary, installation of the persistence mechanism is handled by the sym.install_char__char_ function.\r\nThe mechanism checks for a hidden touch file (zero byte) in the /tmp/ folder called .zsh_init_success . If the\r\nfile does not exist, then the ‘growth’ binary is called and the touch file is created.\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 8 of 15\n\nContents of the malicious ~/.zshenv, executed for every Zsh session\r\nNetwork Infrastructure\r\nAnalysis of the actor operated and controlled network infrastructure associated with the Hidden Risk campaign\r\nfurther corroborates our confidence in attribution to DPRK’s BlueNoroff threat actor. Additionally, infrastructure\r\nanalysis provides new insight into an extensive cluster of activity over the last year plus, and provides further links\r\nto industry reporting mentioned above, and others in the community.\r\nOver recent months, the actor has built a network of connected infrastructure often themed around their\r\ncryptocurrency interests, methods of delivering malware lures, and mimicking legitimate Web3, cryptocurrency,\r\nfintech, and investment organizations to appear legitimate. NameCheap is the predominant domain registrar being\r\nabused. Virtual server hosting services such as Quickpacket, Routerhosting, Hostwinds, and others are the most\r\ncommonly used based on our observations.\r\nVarious methods of pivoting across network infrastructures and services can be used to connect the Hidden Risk\r\ncampaign to domains themed around the following organizations, indicating the actors interest in potential\r\ntargeting and spoofing for targeting on other organizations.\r\nCryptocurrency Technologies Delphi Digital, Solana Labs, Douro Labs, bitsCrunch, Caladan\r\nInvestment and Capital\r\nEntities\r\nMaelstrom Fund, Selini Capital, Flori Ventures, ARK Invest, Long Journey\r\nVentures\r\nGeneric IT/Communication\r\nVirtual Meetings (Zoom, generic), Software Updates (macOS, browsers,\r\ngeneric)\r\nWhen examining the infrastructure of the campaign detailed above in infrastructure analysis tools such as Validin,\r\nwe can identify clear relations between the initial stage 1 delivery domain ( matuaner[.]com ) and the IPs\r\n45.61.135[.]105 and 172.86.108[.]47 . These two IPs, in combination with an overlapping certificate use,\r\nlink to a variety of domains that open the door to the larger and longer running history of BlueNoroff activity\r\n(green lines), and additional lesser confidence infrastructure to explore further (orange dotted lines).\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 9 of 15\n\nPivoting from sample delivery to initial set of infrastructure\r\nAdditional valuable pivoting can be achieved by analyzing attributes like DNS TXT records linked to domains\r\nthat the actor may be using for phishing email delivery. For instance, we’ve observed the actor abusing email\r\nmarketing automation tools, such as Brevo, where they go so far as to verify domain ownership to meet email\r\nauthentication standards—an effort to bypass spam and phishing detection filters.\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 10 of 15\n\nPivoting initial infrastructure to wider set, though DNS TXT Records\r\nBeyond direct pivoting based on infrastructure and overlapping response data, we also identified additional\r\ndomains registered using similar methods that reflect previous organization naming themes across various top\r\nlevel domains (TLDs), though these domains have not yet been linked to any known actor activity. For instance,\r\nby analyzing bulk domain search datasets, we found related but non-pivotable domains based on “Selini Capital,”\r\nsuch as selinicapital[.]network . This approach has proven effective in uncovering additional BlueNoroff\r\ndomains linked to the Hidden Risk activity cluster.\r\nExample Regular Expression: /s+e+l+i+n+i+c+a+p+i+t+a+l+\\.[a-z0-9-]+/\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 11 of 15\n\nBulk domain scanning, past 180 days, showing registration summary\r\nThe extensive collection of BlueNoroff infrastructure we’ve gathered over the years, recently expanded through\r\nthe latest Hidden Risk campaign activity, prevents us from detailing every unique pivoting method as this actor\r\ncontinues to evolve. As with all quality threat intelligence, our goal is to aid defenders while carefully managing\r\nthe exposure of our tracking techniques to the actor. However, we are sharing a broader set of associated\r\ninfrastructure in the Indicator of Compromise section below.\r\nConclusion\r\nOver the last 12 months or so, North Korean cyber actors have engaged in a series of campaigns against crypto-related industries, many of which involved extensive ‘grooming’ of targets via social media. We observe that the\r\nHidden Risk campaign diverts from this strategy taking a more traditional and cruder, though not necessarily any\r\nless effective, email phishing approach. Despite the bluntness of the initial infection method, other hallmarks of\r\nprevious DPRK-backed campaigns are evident, both in terms of observed malware artifacts and associated\r\nnetwork infrastructure, as discussed extensively throughout this post.\r\nWe might speculate that heightened attention on previous DRPK campaigns could have reduced the effectiveness\r\nof previous ‘social media grooming’ attempts, perhaps as a result of intended targets in DeFi, ETF and other\r\ncrypto-related industries becoming more wary, but it is equally likely that such state-backed threat actors have\r\nsufficient resources to pursue multiple strategies simultaneously.\r\nOne factor that is relatively consistent throughout many of these campaigns is that the threat actors are seemingly\r\nable to acquire or hijack valid Apple ‘identified developer’ accounts at will, have their malware notarized by\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 12 of 15\n\nApple, and bypass macOS Gatekeeper and other built-in Apple security technologies. In light of this and the\r\ngeneral increase in macOS crimeware observed across the security industry, we encourage all macOS users, but\r\nparticularly those in organizational settings, to harden their security and increase their awareness of potential risks.\r\nIndicators of Compromise\r\nSHA1 Function File Arch\r\n05c178891ca1e65af53bbcfdbec573da3f74d176 Dropper Macho arm64\r\n3f17c5a7d1e7fd138163d8039e614b8a967a56cb Dropper App Universal\r\n7e07765bf8ee2d0b2233039623016d6dfb610a6d Backdoor Macho x86_64\r\nbaf4da6b89b7d7cbf24c9deef5984ef9dfd52e6a Dropper Macho Universal\r\ne5d97afa5f1501b3d5ec1a471dc8a3b8e2a84fdb Dropper Macho x86_64\r\nIP Addresses\r\n23[.]254.253[.]75\r\n45[.]61.128[.]122\r\n45[.]61.135[.]105\r\n45[.]61.140[.]26\r\n139[.]99.66[.]103\r\n144[.]172.74[.]23\r\n144[.]172.74[.]141\r\n172[.]86.102[.]98\r\n172[.]86.108[.]47\r\n216[.]107.136[.]10\r\nDomains\r\nanalysis.arkinvst[.]com\r\nappleaccess[.]pro\r\narkinvst[.]com\r\natajerefoods[.]com\r\nbuy2x[.]com\r\ncalendly[.]caladan[.]video\r\ncardiagnostic[.]net\r\ncmt[.]ventures\r\ncommunity.edwardcaputo[.]shop\r\ncommunity.kevinaraujo[.]shop\r\ncommunity.selincapital[.]com\r\ncommunity.selincapital[.]com\r\ncustomer-app[.]xyz\r\ndelphidigital[.]org\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 13 of 15\n\ndoc.solanalab[.]org\r\ndourolab[.]xyz\r\ndrogueriasanjose[.]net\r\nedwardcaputo[.]shop\r\nemail.sellinicapital[.]com\r\nevalaskatours[.]com\r\nhappyz[.]one\r\nhwsrv-1225327.hostwindsdns[.]com\r\ninfo.ankanimatoka[.]com\r\ninfo.customer-app[.]xyz\r\nkevinaraujo[.]shop\r\nmaelstromfund[.]org\r\nmaelstroms[.]fund\r\nmatuaner[.]com\r\nmbupdate.linkpc[.]net\r\nmc.tvdhoenn[.]net\r\nmeet.caladan[.]video\r\nmeet.caladangroup[.]xyz\r\nmeet.hananetwork[.]video\r\nmeet.selinicapital[.]info\r\nmeet.selinicapital[.]online\r\nmeet.selinicapital[.]xyz\r\nmeet.sellinicapital[.]com\r\nmeeting.sellinicapital[.]com\r\nmeeting.zoom-client[.]com\r\nmg21.1056[.]uk\r\nnodnote.com\r\nonline.selinicapital[.]info\r\nonline.zoom-client[.]com\r\npanda95sg[.]asia\r\npixelmonmmo[.]net\r\npresentations[.]life\r\nselincapital[.]com\r\nselinicapital[.]info\r\nselinicapital[.]network\r\nselinicapital[.]online\r\nsellinicapital[.]com\r\nsendmailed[.]com\r\nsendmailer[.]org\r\nshh5.baranftw[.]xyz\r\ntvdhoenn[.]net\r\nverify.selinicapital[.]info\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 14 of 15\n\nversionupdate.dns[.]army\r\nwww.buy2x[.]com\r\nwww.delphidigital[.]org\r\nwww.frameworks[.]ventures\r\nwww.happyz[.]one\r\nwww.huspot[.]blog\r\nwww.maelstromfund[.]org\r\nwww.panda95sg[.]asia\r\nwww.prismlab[.]xyz\r\nwww.sellinicapital[.]com\r\nwww.sendmailed[.]com\r\nwww.sendmailer[.]org\r\nwww.yoannturp[.]xyz\r\nxu10.1056[.]uk\r\nzoom-client[.]com\r\nSource: https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nhttps://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/" ], "report_names": [ "bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434244, "ts_updated_at": 1775792151, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/69d206c444ba7b11ad515448394172916ac6c6e8.pdf", "text": "https://archive.orkl.eu/69d206c444ba7b11ad515448394172916ac6c6e8.txt", "img": "https://archive.orkl.eu/69d206c444ba7b11ad515448394172916ac6c6e8.jpg" } }