BlueNoroff hackers intend to launch new crypto-theft attacks, according to Microsoft.

Microsoft has issued a warning regarding BlueNoroff, a North Korean hacking group known for its social engineering attacks and cryptocurrency thefts, particularly targeting employees in the cryptocurrency sector. This group, also recognized by Microsoft as Sapphire Sleet, is reportedly setting up new websites disguised as skill assessment portals on LinkedIn for their upcoming campaigns.

The modus operandi of BlueNoroff involves making initial contact on LinkedIn and then shifting communications to other platforms, where they deploy malware through malicious documents sent via private messages. These new websites, designed to look like legitimate skill assessment portals, are part of a tactical shift by the group. They are password-protected to hinder analysis and are used to prompt recruiters to register accounts.

BlueNoroff's shift to creating their own websites for hosting malicious payloads is believed to be a response to their quick detection and removal from legitimate online services, such as GitHub. 

Jamf Threat Labs recently connected BlueNoroff to the ObjCShellz macOS malware, which compromises Mac systems by opening remote shells. Kaspersky has previously associated this group with attacks on cryptocurrency startups and financial institutions across the globe, including in countries like the U.S., Russia, China, and the U.K.

The group was also linked by the FBI to the largest crypto hack in history, involving the breach of Axie Infinity's Ronin network bridge, where they stole Ethereum and USDC tokens worth over $617 million. A United Nations report estimated that North Korean state hackers, including BlueNoroff, had stolen approximately $2 billion from banks and cryptocurrency exchanges in various countries.

In 2019, the U.S. Treasury sanctioned BlueNoroff, along with two other North Korean hacking groups, Lazarus Group and Andariel, for funneling stolen financial assets to the North Korean government.