BlueNoroff used the multistage RustBucket malware to target macOS systems in financially motivated operations. The first stage is an unsigned Internal PDF Viewer.app AppleScript that requires the victim to override Gatekeeper, then retrieves a signed second-stage application masquerading with a legitimate Apple bundle identifier. A malicious PDF acts as the trigger for the next phase, causing the second stage to contact C2 and download a Rust-based Mach-O payload for ARM and x86 systems. The final payload gathers system information and supports additional attacker actions on the victim host, fitting BlueNoroff’s pattern of job-themed lures and financial-sector targeting.