BlueNoroff [1] [2] [3] [4] [5] [6], a sub-group of the Lazarus Group [3] [4], a well-known cybercrime enterprise based in North Korea [4], has been attributed to a new variant of the RustBucket malware called ObjCShellz. This malware specifically targets macOS systems and is part of the RustBucket malware campaign. BlueNoroff disguises itself as an investor or company head hunter and creates domains that appear to belong to legitimate crypto companies [4].


ObjCShellz is a simple remote shell written in Objective-C that allows the attacker to gain remote control over compromised systems. It executes shell commands sent from the attacker’s server and establishes covert communication channels on compromised systems, enabling the attackers to send and receive data without detection [4]. It was found communicating with a previously classified malicious domain [4], raising concerns as a legitimate cryptocurrency exchange operates under a similar domain [2].

This malware is believed to be a late stage within a multi-stage malware campaign delivered through social engineering [2] [6]. The exact initial access vector for the attack is unknown [1] [6], but it is suspected that the malware is delivered as a post-exploitation payload [1] [5] [6]. BlueNoroff [1] [2] [3] [4] [5] [6], as a subordinate element of the Lazarus Group [1] [5] [6], targets banks [5] [6], venture capital firms [2], and the crypto sector to generate illicit profits [6]. The Lazarus Group has also been linked to the macOS malware KANDYKORN [6], which specifically targets blockchain engineers.


This disclosure highlights the evolving and reorganizing nature of North Korea-sponsored groups like Lazarus [5], as they continue to build bespoke malware for Linux and macOS [5]. Mac users should take precautions to protect themselves from this malware [4]. Security researchers have discovered this new variant of the RustBucket malware [4], which specifically targets Mac users [3]. It is believed to be the work of BlueNoroff [3] [4], a sub-group of the Lazarus Group [3] [4], a notorious state-sponsored cybercriminal organization based in North Korea [3]. The malware has been evolving [3], and researchers have identified potential targets [3].