As part of its social engineering campaigns, a sub-cluster of the notorious Lazarus Group has set up new infrastructure that mimics skills assessment portals.
Microsoft called Sapphire Sleet, a threat actor, for the activity, characterizing it as a “shift in the persistent actor’s tactics.”
Sapphire Sleet, also known as APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a history of using social engineering to plan cryptocurrency thefts.
The threat actor was linked by Jamf Threat Labs earlier this week to a new family of macOS malware known as ObjCShellz, which is thought to be a late-stage payload sent in conjunction with another macOS malware known as RustBucket.
As stated in a series of posts on X (formerly Twitter), “Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skills assessment.” This information was provided by the Microsoft Threat Intelligence team.
“The threat actor then moves successful communications with targets to other platforms.”
According to the tech giant, the hacking group has previously carried out campaigns that included embedding links to pages hosted on trustworthy websites like GitHub or sending malicious attachments directly.
Nonetheless, Sapphire Sleet might have been compelled to expand its own network of websites for malware distribution due to the prompt discovery and removal of these payloads.
“Several malicious domains and subdomains host these websites, which entice recruiters to register for an account,” the business stated. “The websites are password-protected to impede analysis.”
