Jamf Threat Labs identified RustBucket, a macOS malware family suspected to be linked to North Korean state-sponsored activity and likely BlueNoroff, a Lazarus subgroup. The campaign used an unsigned AppleScript dropper named Internal PDF Viewer.app to download a second-stage PDF-viewer application from attacker infrastructure such as cloud.dnx.capital. The second stage only triggered malicious behavior when opened with a matching weaponized PDF, then decrypted and displayed a decoy venture-capital document while preparing communication with a C2 server for additional payload execution. Jamf noted the workflow and social-engineering pattern aligned with previously reported BlueNoroff activity against cryptocurrency and investment targets.