In a new wave of cyberattacks, North Korean hackers, operating under the notorious BlueNoroff group, have developed a sophisticated multi-stage malware targeting cryptocurrency companies, with a focus on macOS systems. The campaign, named “Hidden Risk,” uses a clever tactic to infiltrate victims by luring them with fake crypto-related news.
This malware is designed to remain undetected on the latest macOS versions, evading traditional security alerts. Experts are particularly concerned about its novel persistence mechanisms, which allow it to linger on compromised systems without raising any red flags.
The Hidden Risk Campaign: How It Works
BlueNoroff’s latest attack begins with a well-crafted phishing email. The message appears to be from a cryptocurrency influencer and is designed to look legitimate. It contains a link that promises to take the recipient to a PDF about the latest developments in the cryptocurrency market, a subject that is particularly sensitive given the volatile nature of the market.
However, the link actually directs the victim to a domain controlled by the attackers, “delphidigital[.]org.” Researchers at SentinelLabs have confirmed that, depending on the timing, this URL may either serve a benign PDF about Bitcoin ETFs or, more dangerously, the first stage of the malicious application bundle.
One of the most concerning aspects of this attack is the payload disguised as an innocuous-sounding file: “Hidden Risk Behind New Surge of Bitcoin Price.app.” The file, once opened, installs the malware on the macOS system, allowing hackers to gain full control.
A Trojan Horse: The Malware’s Stealthy Features
The malware in question exploits a novel technique that allows it to remain hidden from macOS security measures. This persistence mechanism means that even when the system undergoes routine checks for malware, the threat remains undetected. This is especially troubling given that macOS users generally have a false sense of security, assuming their systems are safer due to Apple’s reputation for robust security features.
Unlike previous BlueNoroff malware, such as the ObjCShellz, which opened remote shells on compromised Macs, the new malware is more discreet and harder to identify. It operates quietly in the background, leaving minimal traces that would trigger alerts on newer macOS versions.
From Phishing to Full Infection: The Chain of Events
Once the victim clicks on the malicious link in the phishing email, the infection chain unfolds. The malware typically starts by downloading the “Hidden Risk” application bundle, which contains the harmful payload.
According to the researchers, the malicious file often masquerades as a copy of an academic paper from the University of Texas, lending it a sense of credibility. The paper in question is related to the recent surge in Bitcoin prices, a hot topic in the crypto world. By playing on the victim’s interest in cryptocurrency, the attackers increase the chances of the file being opened.
After the malware is executed, it can perform a variety of malicious actions, including stealing sensitive data, monitoring the victim’s activity, and potentially gaining control of the infected system for further exploits.
Why Crypto Firms Are the Main Target
The reason BlueNoroff and other North Korean hacking groups focus on cryptocurrency companies is simple: they are lucrative targets. Crypto firms deal with large sums of money, and their employees often have access to critical, valuable information. Stealing funds or gaining unauthorized access to these companies’ systems can provide attackers with substantial rewards.
Furthermore, the cryptocurrency market is known for its secrecy and decentralized nature, which can make it harder for law enforcement to track stolen assets. By targeting crypto companies and their employees, BlueNoroff is able to capitalize on the growing demand for digital currencies while also exploiting weaknesses in security systems.
Protecting Against the Hidden Risk Malware
Given the increasing sophistication of cyberattacks, it is crucial for cryptocurrency companies and macOS users to be vigilant. Here are a few steps to protect against such threats:
- Avoid Unsolicited Emails: Always be cautious when receiving emails from unfamiliar sources, even if they appear to come from a trusted name in the industry.
- Check Links Carefully: Before clicking on any link, hover over it to verify its destination. If the URL seems suspicious, do not click.
- Keep Software Updated: Regular updates to macOS and antivirus software are essential in defending against the latest threats.
- Use a Virtual Private Network (VPN): A VPN can help encrypt your internet connection, making it harder for attackers to intercept your data.
Rose Cole is a talented junior news writer at Crypto Quill, specializing in covering the latest updates on cryptocurrency and Bitcoin. With a passion for staying abreast of developments in the digital finance space, Rose’s articles provide readers with timely and informative news on the ever-evolving world of cryptocurrencies. Despite her junior status, Rose’s dedication to accurate reporting and commitment to delivering relevant content shine through in her work. Count on Rose to bring you the most current and essential news in the realm of cryptocurrency and Bitcoin, offering a fresh perspective to Crypto Quill’s readers.
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Dogecoin 
Cardano 
TRON 
Lido Staked Ether 
Wrapped Bitcoin 
Toncoin 
Chainlink 
LEO Token 
Avalanche 
Stellar 
Wrapped stETH 
Sui 
USDS 
Shiba Inu 
Hedera 
Litecoin 
Polkadot 
MANTRA 
Bitcoin Cash 
Bitget Token 
Pi Network 
WETH 
Ethena USDe 
Binance Bridged USDT (BNB Smart Chain) 
Hyperliquid 
Wrapped eETH 
WhiteBIT Coin 
Monero 
Uniswap 
Aptos 
NEAR Protocol 
Dai 
Pepe 
sUSDS 
OKB 
Cronos 
Tokenize Xchange 
Gate 
Mantle 
Coinbase Wrapped BTC 
Internet Computer 
Ondo 
Aave 
Ethereum Classic 
First Digital USD 
Ethena Staked USDe 
Bittensor 
VeChain 
Official Trump 
Celestia 
Ethena 
Cosmos Hub 
BlackRock USD Institutional Digital Liquidity Fund 
Render 
Filecoin 
Kaspa 
POL (ex-MATIC) 
Lombard Staked BTC 
Sonic (prev. FTM) 
Fasttoken 
Algorand 
Arbitrum 
Jupiter 
Story 
Optimism 
KuCoin 
Artificial Superintelligence Alliance 
Solv Protocol SolvBTC 
Maker 
Kelp DAO Restaked ETH 
Binance-Peg WETH 
Movement 
NEXO 
XDC Network 
Binance Staked SOL 
Immutable 
Worldcoin 
DeXe 
Stacks 
Bonk 
Sei 
USDT0 
Rocket Pool ETH 
Injective 
Usual USD 
The Graph 
Theta Network 
Berachain 
Stargate Bridged USDC (Berachain) 
EOS 
Lido DAO 
Flare 
Solv Protocol SolvBTC.BBN