The well-known Lazarus Group has evolved, with a faction now setting up deceptive platforms masquerading as skill assessment portals, part of their new social engineering tactics. Identified by Microsoft as Sapphire Sleet, this alteration marks a change in the group’s persistent methods.
Sapphire Sleet, also recognized as APT38, BlueNoroff, CageyChameleon, and CryptoCore, is notorious for orchestrating cryptocurrency theft using social engineering techniques. Recently, Jamf Threat Labs connected this threat actor to ObjCShellz, a novel macOS malware associated with RustBucket, serving as a late-stage payload.
According to Microsoft’s Threat Intelligence team, Sapphire Sleet targets individuals through platforms like LinkedIn, using skill assessment-related bait before shifting communication to alternate platforms. Previously, the hacking crew utilized malicious attachments or embedded links in legitimate sites like GitHub, but recent swift detection led them to establish their network of websites for malware distribution.
These websites are designed to attract recruiters, prompting them to register for an account. Password protection hinders analysis and makes them a covert vehicle for malicious intent.