BlueNoroff Group: The Financial Cybercrime Arm of Lazarus
Contents
BlueNoroff Group: The Financial Cybercrime Arm of Lazarus
| January 20, 2026
BlueNoroff, a sub-group of the Lazarus collective dedicated to financial theft, has established a notorious reputation for high-stakes cybercrime, most notably the 2016 Bangladesh Central Bank heist, where they compromised SWIFT infrastructure to steal $81 million. Following this, they launched watering hole attacks against Polish banks before pivoting in 2017 to target cryptocurrency businesses via the SnatchCrypto campaign. Their operations evolved in 2018 to include fake software companies distributing backdoored applications, while recent years saw a focus on macOS targets in the Web3 sector through the 2023 GhostCall and GhostHire campaigns involving fake job interviews. Activity persisted into 2025 with supply chain attacks using malicious Go packages and a tactical shift to Microsoft Teams impersonation for distributing malware.
The group employs a diverse set of tactics that begins with deep reconnaissance on platforms like LinkedIn to create credible personas for spearphishing …
| January 20, 2026
BlueNoroff, a sub-group of the Lazarus collective dedicated to financial theft, has established a notorious reputation for high-stakes cybercrime, most notably the 2016 Bangladesh Central Bank heist, where they compromised SWIFT infrastructure to steal $81 million. Following this, they launched watering hole attacks against Polish banks before pivoting in 2017 to target cryptocurrency businesses via the SnatchCrypto campaign. Their operations evolved in 2018 to include fake software companies distributing backdoored applications, while recent years saw a focus on macOS targets in the Web3 sector through the 2023 GhostCall and GhostHire campaigns involving fake job interviews. Activity persisted into 2025 with supply chain attacks using malicious Go packages and a tactical shift to Microsoft Teams impersonation for distributing malware.
The group employs a diverse set of tactics that begins with deep reconnaissance on platforms like LinkedIn to create credible personas for spearphishing …