A sub-cluster within the notorious Lazarus Group has built new infrastructure pretending to be skill assessment portals as part of its social engineering campaigns.
Microsoft attributed the activity to what it calls a threat actor Sapphire Sleetdescribing it as a “shift in tactics by the ongoing actor.”
Sapphire Sleet, also known as APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a track record of orchestrating cryptocurrency theft through social engineering.
Earlier this week, Jamf Threat Labs linked the threat actor to a new macOS malware family called ObjCShellz that was assessed to be a late-stage payload delivered in connection with another macOS malware known as RustBucket .
“Sapphire Sleet typically finds targets on platforms such as LinkedIn and uses baits related to skill assessments,” the Microsoft Threat Intelligence team SAYS in a series of posts on X (formerly Twitter).
“The threat actor then enables successful communication with targets on other platforms.”
The tech giant said that previous campaigns mounted by the hacking crew involved sending malicious attachments directly or embedding links to pages hosted on legitimate websites such as GitHub.
However, the rapid detection and removal of these payloads may have forced Sapphire Sleet to create its own network of websites for distributing the malware.
“Many malicious domains and subdomains host these websites, which entice recruiters to register for an account,” the company added. “Websites are password protected to prevent analysis.”