Inside the BlueNoroff Web3 macOS Intrusion Analysis
Contents
On June 11, 2025, Huntress received contact from a partner saying that an end user had downloaded, potentially, a malicious Zoom extension. The depth of the intrusion became immediately apparent upon installing the Huntress EDR agent, and after some analysis, it was discovered that the lure used to gain access was received by the victim several weeks prior.
This post aims to provide a detailed analysis from beginning to end of the intrusion, including a full breakdown of several new pieces of malware used by the threat actors.
We attribute with high confidence that this intrusion was conducted by the North Korean (DPRK) APT subgroup tracked as TA444 aka BlueNoroff, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon—a state-sponsored threat actor known for targeting cryptocurrencies stemming back to at least 2017.
An employee at a cryptocurrency foundation received a message from an external contact on their Telegram. The message requested time to speak to …
This post aims to provide a detailed analysis from beginning to end of the intrusion, including a full breakdown of several new pieces of malware used by the threat actors.
We attribute with high confidence that this intrusion was conducted by the North Korean (DPRK) APT subgroup tracked as TA444 aka BlueNoroff, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon—a state-sponsored threat actor known for targeting cryptocurrencies stemming back to at least 2017.
An employee at a cryptocurrency foundation received a message from an external contact on their Telegram. The message requested time to speak to …
IoC
https://support.us05web-zoom.biz/troubleshoot-issue-727318
https://support.us05web-zoom.biz
http://firstfromsep.online
http://safefor.xyz
http://firstfromsep.online/client
https://metamask.awaitingfor.site/update
http://productnews.online
https://metamask.awaitingfor.site/update
https://support.us05web-zoom.biz/842799/check
http://readysafe.xyz
https://safeupload.online
[email protected]
3DD226D0B700F33974F409142DEFB62A8CD172AE5F2EB9BEB7F5750EB1702E2A
4cd5df82e1d4f93361e71624730fbd1dd2f8ccaec7fc7cbdfa87497fb5cb438c
2e30c9e3f0324011eb983eef31d82a1ca2d47bbd13a6d32d9e11cb89392af23d
432c720a9ada40785d77cd7e5798de8d43793f6da31c5e7b3b22ee0a451bb249
1ddef717bf82e61bf79b24570ab68bf899f420a62ebd4715c2ae0c036da5ce05
14e9bb6df4906691fc7754cf7906c3470a54475c663bd2514446afad41fa1527
C4DB903322D17C8CBF1D1DB55124854C0B070D6ECE54162B6A4D06DF24C572DF
080a52b99d997e1ac60bd096a626b4d7c9253f0c7b7c4fc8523c9d47a71122af
ad01beb19f5b8c7155ee5415781761d4c7d85a31bb90b618c3f5d9f737f2d320
ad21af758af28b7675c55e64bf5a9b3318f286e4963ff72470a311c2e18f42ff
469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
https://support.us05web-zoom.biz
http://firstfromsep.online
http://safefor.xyz
http://firstfromsep.online/client
https://metamask.awaitingfor.site/update
http://productnews.online
https://metamask.awaitingfor.site/update
https://support.us05web-zoom.biz/842799/check
http://readysafe.xyz
https://safeupload.online
[email protected]
3DD226D0B700F33974F409142DEFB62A8CD172AE5F2EB9BEB7F5750EB1702E2A
4cd5df82e1d4f93361e71624730fbd1dd2f8ccaec7fc7cbdfa87497fb5cb438c
2e30c9e3f0324011eb983eef31d82a1ca2d47bbd13a6d32d9e11cb89392af23d
432c720a9ada40785d77cd7e5798de8d43793f6da31c5e7b3b22ee0a451bb249
1ddef717bf82e61bf79b24570ab68bf899f420a62ebd4715c2ae0c036da5ce05
14e9bb6df4906691fc7754cf7906c3470a54475c663bd2514446afad41fa1527
C4DB903322D17C8CBF1D1DB55124854C0B070D6ECE54162B6A4D06DF24C572DF
080a52b99d997e1ac60bd096a626b4d7c9253f0c7b7c4fc8523c9d47a71122af
ad01beb19f5b8c7155ee5415781761d4c7d85a31bb90b618c3f5d9f737f2d320
ad21af758af28b7675c55e64bf5a9b3318f286e4963ff72470a311c2e18f42ff
469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f