Threat Actor Profile

BlueNoroff

Aliases
  • Sapphire Sleet
  • APT38
  • Alluring Pisces
  • Stardust Chollima
  • TA444
Origin
North Korea
Active Since
2014
Motivation
Financial theft, Cryptocurrency theft, Access to fintech and blockchain-related environments
Cause
Nation State
Recent Activity

BlueNoroff continues targeting Web3 and cryptocurrency organizations through campaigns such as GhostCall and GhostHire, using fake Zoom calls, Telegram job lures, macOS malware chains, fake Microsoft Teams clients, and social-engineering-heavy delivery methods. Recent reporting also describes BlueNoroff supply-chain activity involving malicious Go packages and Microsoft Teams impersonation for malware delivery.

Primary Targets
  • Financial institutions
  • Cryptocurrency exchanges
  • Executives
  • Web3 developers
  • Blockchain professionals
Target Locations
  • Africa
  • Argentina
  • Asia
  • Canada
  • Chile
  • Costa Rica
  • Mexico
  • United States
Target Sectors
  • Finance
  • Cryptocurrency/Web3
  • Technology
  • Healthcare
  • Education
  • Government
Vulnerabilities

CVE-2021-40449

CVE-2022-0609

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo