{
	"id": "45b5b4c0-257d-49bb-949d-7d319a4d3787",
	"created_at": "2026-04-06T00:15:17.720477Z",
	"updated_at": "2026-04-10T03:35:51.306465Z",
	"deleted_at": null,
	"sha1_hash": "a66baa56bcd1419c23a9eb8ad4e9195ff41628be",
	"title": "BlueNoroff strikes again with new macOS malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 183313,
	"plain_text": "BlueNoroff strikes again with new macOS malware\r\nBy Jamf Threat Labs\r\nArchived: 2026-04-05 19:51:43 UTC\r\nHome\r\nWhy Jamf\r\nWhy Jamf\r\nMeet Jamf: The most complete Apple device management and security solution.\r\nLearn More\r\nProducts\r\nProducts\r\nEmpower your employees with our best-in-class products.\r\nLearn More\r\nPricing\r\nPricing\r\nhttps://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/\r\nPage 1 of 4\n\nFind the best set of Jamf tools for your budget.\r\nResources\r\nResources\r\nWhether you’re looking for education or inspiration, Jamf has you covered with the latest industry and\r\nproduct-specific resources.\r\nView Resources\r\nPartners\r\nPartners\r\nCurrent partner, future partner or purchasing from a partner - you’re in the right place.\r\nLearn More\r\nStart Trial Contact\r\nResearch led by Ferdous Saljooki.\r\nBackground\r\nJamf Threat Labs has identified a new malware variant attributed to the BlueNoroff APT group. BlueNoroff’s\r\ncampaigns are financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms and\r\nbanks. During our routine threat hunting, we discovered a Mach-O universal binary communicating with a domain\r\nthat Jamf has previously classified as malicious. This executable was undetected on VirusTotal at the time of our\r\nanalysis, piquing our interest.\r\nhttps://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/\r\nPage 2 of 4\n\nThe standalone binary, labeled ProcessRequest , is ad-hoc signed and has been observed communicating with the\r\ndomain swissborg[.]blog . This raised suspicions, especially since a legitimate cryptocurrency exchange exists\r\noperating under the domain swissborg.com, where they host a legitimate blog at the URL swissborg.com/blog.\r\nThe malware splits the command and control (C2) URL into two separate strings that get concatenated together.\r\nThis is likely an attempt to evade static-based detection.\r\nThe usage of this domain greatly aligns with the activity we’ve seen from BlueNoroff in what Jamf Threat Labs\r\ntracks as the Rustbucket campaign. In this campaign, the actor reaches out to a target claiming to be interested in\r\npartnering with or offering them something beneficial under the guise of an investor or head hunter. BlueNoroff\r\noften creates a domain that looks like it belongs to a legitimate crypto company in order to blend in with network\r\nactivity.\r\nThe malicious domain swissborg[.]blog was registered on May 31, 2023, and resolves to the IP address\r\n104.168.214[.]151 . Pivoting from this domain revealed several URLs used for the malware’s communication.\r\nHowever, at the time of our analysis, the C2 server did not respond to any of these URLs and went offline shortly\r\nafter our attempts to communicate.\r\nThe IP address 104.168.214[.]151 has been associated with malware previously used by this attacker.\r\nWe have observed submissions to VirusTotal from countries such as Japan and the US in September and October.\r\nAnalysis\r\nThe malware is written in Objective-C and operates as a very simple remote shell that executes shell commands\r\nsent from the attacker server. Although it is not entirely clear how initial access was achieved, this malware is\r\nlikely being used as a later stage to manually run commands after compromising a system. This malware at a\r\nglance is very different from the previously mentioned RustBucket malware seen used in other attacks, but the\r\nattacker’s focus in both cases seems to be providing simple remote shell capability.\r\nUpon execution, the malware calls a function titled sendRequest to send a POST message to the hardcoded URL\r\nhXXp://swissborg.blog/zxcv/bnm . The malware then uses the Objective-C NSProcessInfo functionality which\r\nallows them to gain information about the malware process itself. It then retrieves the\r\noperatingSystemVersionString to determine the macOS version. An NSMutableURLRequest object is created\r\nusing the hardcoded URL and the HTTP method and header fields are set accordingly.\r\nhttps://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/\r\nPage 3 of 4\n\nThis POST request uses the NSURLSession class to generate the user-agent in the following format.\r\nAppName : The name of the app derived from the CFBundleName key in the app's Info.plist . In the case\r\nwhere the executable is not run as part of an app bundle (which we suspect to be the case), this value gets\r\nset to the name of the executable.\r\nAppVersion : The version of the app obtained from the CFBundleShortVersionString key in the app's\r\nInfo.plist . In the absence of app-specific details it would be set to unknown version .\r\nCFNetworkVersion : The version of the CFNetwork framework used by the app.\r\nDarwinVersion : The version of Darwin or XNU kernel.\r\nThe HTTP POST data is constructed using the following JSON formatted string,\r\n{\"sdf\":\"wsx\",\"info\":\"operatingSystemVersionString\"} , where operatingSystemVersionString will be\r\nreplaced by the property value fetched from the processInfo object.\r\nBelow is an example of the POST message being sent to the attacker server from the victim system.\r\nThe block callback [ProcessRequest sendRequest]_block_invoke serves as the command executor if a response\r\nis received from the C2.\r\nThe malware utilizes the system() function for command execution, inherently invoking sh -c . It logs the\r\nserver response via NSLog for commands awaiting execution and records both successes and failures. The choice\r\nto log these activities is intriguing, as attackers crafting sophisticated malware typically omit any statements that\r\nmight leave traces.\r\nThe main function of the program initializes an instance of the ProcessRequest class, then sets up a repeating\r\ntimer using the startTimer method. This timer triggers the sendRequest method at regular intervals,\r\nfacilitating periodic network requests. To ensure continuous operation, the NSRunLoop class is used, keeping the\r\nmain thread active.\r\nConclusion\r\nAlthough fairly simple, this malware is still very functional and will help attackers carry out their objectives. This\r\nseems to be a theme with the latest malware we’ve seen coming from this APT group. Based on previous attacks\r\nperformed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered\r\nvia social engineering. Jamf Threat Labs tracks this malware as ObjCShellz and as part of the RustBucket\r\ncampaign.\r\nSubscribe to the Jamf Blog\r\nHave market trends, Apple updates and Jamf news delivered directly to your inbox.\r\nTo learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy\r\nPolicy.\r\nSource: https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/\r\nhttps://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/"
	],
	"report_names": [
		"bluenoroff-strikes-again-with-new-macos-malware"
	],
	"threat_actors": [
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0",
			"created_at": "2022-10-25T15:50:23.240383Z",
			"updated_at": "2026-04-10T02:00:05.299433Z",
			"deleted_at": null,
			"main_name": "APT38",
			"aliases": [
				"APT38",
				"NICKEL GLADSTONE",
				"BeagleBoyz",
				"Bluenoroff",
				"Stardust Chollima",
				"Sapphire Sleet",
				"COPERNICIUM"
			],
			"source_name": "MITRE:APT38",
			"tools": [
				"ECCENTRICBANDWAGON",
				"HOPLIGHT",
				"Mimikatz",
				"KillDisk",
				"DarkComet"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd",
			"created_at": "2022-10-25T16:07:23.766784Z",
			"updated_at": "2026-04-10T02:00:04.7432Z",
			"deleted_at": null,
			"main_name": "Bluenoroff",
			"aliases": [
				"APT 38",
				"ATK 117",
				"Alluring Pisces",
				"Black Alicanto",
				"Bluenoroff",
				"CTG-6459",
				"Copernicium",
				"G0082",
				"Nickel Gladstone",
				"Sapphire Sleet",
				"Selective Pisces",
				"Stardust Chollima",
				"T-APT-15",
				"TA444",
				"TAG-71",
				"TEMP.Hermit"
			],
			"source_name": "ETDA:Bluenoroff",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434517,
	"ts_updated_at": 1775792151,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a66baa56bcd1419c23a9eb8ad4e9195ff41628be.pdf",
		"text": "https://archive.orkl.eu/a66baa56bcd1419c23a9eb8ad4e9195ff41628be.txt",
		"img": "https://archive.orkl.eu/a66baa56bcd1419c23a9eb8ad4e9195ff41628be.jpg"
	}
}