North Korean Threat Actors Deploy Hidden Risk Malware on macOS to Target Crypto Firms – Active IOCs
2024-11-08 • Rewterz •
The malware is designed to bypass traditional detection methods and this shift towards simpler phishing tactics contrasts with BlueNoroff’s previous campaign which involved prolonged social engineering and “grooming” on social media. The attackers use email phishing with fake cryptocurrency news headlines and exploit legitimate infrastructure such as Namecheap for domain registration and hosting providers like Quickpacket and Hostwinds. In addition to BlueNoroff’s campaign, North Korean threat actors actively pursue job opportunities in Western firms, employing tactics like social engineering through fake job offers and malware-laden assignments. These campaigns illustrate North Korea’s increasingly varied and persistent efforts to acquire funds from the cryptocurrency sector, bypassing financial sanctions.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 529fe6eff1cf452680976087e2250c02 | 2024-11-08 | 2025-10-28 |
| HASH | 7e07765bf8ee2d0b2233039623016d6… | 2024-11-07 | 2025-02-06 |
| DOMAIN | buy2x.com | 2024-08-16 | 2025-01-20 |
| HASH | bd2aa5805b76f272b43a595b3d73e29… | 2024-11-08 | 2024-11-08 |
| DOMAIN | analysis.arkinvst.com | 2024-11-07 | 2024-11-08 |
| DOMAIN | maelstromfund.org | 2024-11-07 | 2024-11-08 |
| DOMAIN | atajerefoods.com | 2024-11-07 | 2024-11-08 |
| IPv4 | 23.254.253.75 | 2024-11-07 | 2024-11-08 |
| IPv4 | 144.172.74.23 | 2024-11-07 | 2024-11-08 |
| IPv4 | 144.172.74.141 | 2024-11-07 | 2024-11-08 |
| IPv4 | 172.86.108.47 | 2024-11-07 | 2024-11-08 |
| IPv4 | 45.61.135.105 | 2024-11-07 | 2024-11-08 |
| IPv4 | 45.61.128.122 | 2024-11-07 | 2024-11-08 |
| IPv4 | 45.61.140.26 | 2024-11-07 | 2024-11-08 |
| IPv4 | 216.107.136.10 | 2024-11-07 | 2024-11-08 |