BlueNoroff—the name given by security researchers to a group linked with North Korean state-sponsored hacking collective Lazarus Group—has expanded its criminal activities to include posing as venture capitalists looking to invest in crypto startups.

“BlueNoroff created numerous fake domains impersonating venture capital companies and banks,” Kaspersky says.

In its report, Kaspersky says it detected global attacks by BlueNoroff targeting cryptocurrency startups in January 2022,  but says there was a lull in activity until the fall.

According to Kaspersky, BlueNoroff is using malware to attack organizations that deal with smart contracts, DeFi, Blockchain, and the FinTech industry. Kaspersky says BlueNoroff is also using software to bypass Mark-of-the-Web (MOTW) technology, which ensures that a message from Windows pops up to warn users when trying to open a file downloaded from the Internet.