BlueNoroff
BlueNoroff is a DPRK-linked malware/threat cluster associated with targeted intrusions, particularly against the cryptocurrency and Web3 sector. The provided content states that BlueNoroff primarily attacks the cryptocurrency industry and has been observed in campaigns using social engineering, including deepfakes and malicious Zoom extensions, to compromise victim organizations. In one Huntress-described case, attackers shifted a meeting from Google Meet to Zoom at the last minute and instructed the victim to install a supposed Zoom extension, contributing to compromise. The content also associates BlueNoroff activity with backdoor malware and information stealers. A comparative analysis in the source material indicates that BlueNoroff uses a large variety of first-stage malicious code during initial access, while only a small number of final-stage stealer malware families were identified; these final-stage stealers are described as changing slowly and being used to extract information in the later phase of attacks. High-confidence targeting information in the content includes cryptocurrency-focused victims and broader high-value sectors such as Web3/cryptocurrency. The content does not provide specific file hashes, domains, or other concrete IOCs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Huntress wrote in a recent blog post describing the BlueNoroff targeted attack where threat actors tied to the Democratic People's Republic of Korea (DPRK) compromised a victim organization with malicious Zoom extensions and deepfakes.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BlueNoroff is an APT group known for targeting cryptocurrency organizations through sophisticated malware and social engineering campaigns.
A DPRK-attributed macOS-focused intrusion set/campaign described as using social engineering (including deepfakes) and malicious Zoom extensions to compromise victims, then deploying backdoor malware and information stealers; also noted as evolving tooling (including novel loaders) to blend into macOS environments and target high-value sectors like Web3/crypto.
Referenced as part of a multi-stage campaign pattern where only a small number of final-stage stealer payloads are used to extract information, especially in cryptocurrency-focused attacks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.