Threat Actor Profile
Stardust Chollima
Stardust Chollima, also known by aliases like BlueNoroff and APT38, is a North Korea-linked, state-sponsored cyber threat actor. Emerging as a sophisticated group, their primary methods include large-scale financial heists, malware campaigns on macOS, and phishing. They are suspected of playing a crucial role in funding the regime through advanced cyber operations targeting financial and cryptocurrency sectors.
Threat Actor Profile
Stardust Chollima
Country of Origin
Stardust Chollima is widely attributed to North Korea. The group is believed to operate under, or alongside, Lazarus Group and Bureau 121, divisions of the Reconnaissance General Bureau (RGB), the DPRK’s primary intelligence agency.
Members
The membership and size of Stardust Chollima remain opaque due to the covert nature of the group's operations. Some reports suggest overlap with Lazarus Group personnel, indicating shared resources and expertise. While aliases and clusters have been identified, specific individuals rarely surface in public reporting.
Leadership
The exact leadership structure of Stardust Chollima is unknown. However, the group has been connected to named clusters such as Sapphire Sleet, Copernicium, and TEMP.Hermit in various cybersecurity reports. Their operations align with broader North Korean cyber objectives, showcasing significant organizational backing and state alignment.
Stardust Chollima TTPs
Tactics
The group’s primary goals include financial resource generation through high-profile cyber thefts. These activities range from targeting financial institutions like banks and cryptocurrency exchanges to exploiting Web3-related companies and SWIFT systems.
Techniques
Stardust Chollima leverages advanced phishing schemes, sophisticated macOS malware, and social engineering campaigns. Techniques include fake job offers, malicious PDF installer updates, and exploiting trusted internal communication tools (e.g., Telegram).
Procedures
MacOS Malware: Campaigns deploying RustBucket, ObjCShellz, and SpectralBlur malware.
Phishing Attacks: Utilization of malicious domains impersonating financial institutions and ISO/VHD file delivery for initial malware execution.
Credential Harvesting: Targeting Web3 professionals via social engineering and credential theft through legitimate communication channels.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
RustBucket Campaign targeting macOS users in finance and cryptocurrency sectors.
Deployment of the SpectralBlur Backdoor in late 2023.
The Hidden Risk Campaign, wherein phishing emails delivered fake PDF payloads to compromise Web3 users.
Use of NimDoor RAT through fake Zoom SDK updates, highlighting their focus on macOS and cryptocurrency-based schemes.
How to Defend Against Stardust Chollima
Advanced Endpoint Detection: Ensure robust macOS monitoring to detect malware like RustBucket or SpectralBlur.
Phishing and Email Filtering: Block suspicious files (.ISO, .VHD) and fake PDF viewers.
Credential Management: Enforce MFA, monitor login behaviors, and secure trusted communication channels.
Domain and C2 Monitoring: Regularly update threat intel feeds to monitor newly registered malicious domains.
Use Huntress for actionable threat detection, enhanced endpoint protection, and remediation guidance
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
