• First known sample

  • Discovery

  • Current status

  • Type

  • Targeted platforms

  • TOP targeted countries

    Australia , India , Mexico , Norway , Peru , Poland , Russia
  • Connected attacks


More about the Bluenoroff group, its tactics, techniques, procedures and tools

Learn more
  • The way of propagation

    Watering hole attacks
  • Purpose/Functions

    Stealing money
  • Special features

    Bluenoroff, being a subgroup of Lazarus, is focusing on financial attacks only. This subgroup has reverse engineering skills because they spend time tearing apart legitimate software, and implementing patches for SWIFT Alliance software, in attempts to find ways to steal big money. Their malware is different and they aren’t exactly soldiers that hit and run. Instead, they prefer to make an execution trace to reconstruct and quickly debug the problem. They are field engineers that come when the ground is already cleared after conquering new lands.

  • Targets

    Financial institutions
  • Artefacts/Attribution

    One short connection was made from a very unusual IP range, which originates in North Korea.

  • Description

    A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs. This actor was linked to major financial attacks, including the Bangladesh Central Bank heist.

    Additional information