North Korean hacking group BlueNoroff, part of the Lazarus APT, is targeting macOS users in the cryptocurrency and DeFi sectors with a new malware campaign dubbed “Hidden Risk.” Using phishing emails with fake crypto news, the attackers trick victims into opening a malicious macOS application disguised as a PDF link on topics like Bitcoin and stablecoins. The malware, notarized using a revoked Apple Developer ID, maintains persistence through the ‘zshenv’ file, bypasses macOS security via Info.plist exceptions, and downloads a decoy PDF to evade suspicion. A second-stage backdoor collects system data and connects to a command-and-control server for further instructions, continuing North Korea’s focus on financially motivated cybercrime.