Security experts at cybersecurity company Volexity have identified a new campaign distributing fake cryptocurrency apps under the name "BloxHolder" to install AppleJeus malware and gain access to networks, and linked this campaign to the North Korean hacking group named Lazarus. In February 2021, the FBI and CISA reported that AppleJeus has been in circulation since at least 2018, and has been used in cryptocurrency thefts and digital asset thefts by Lazarus. It is believed that Lazarus began a new campaign in June 2022 and was active until at least October 2022. In the attack, it was found that the threat actors used the domain "bloxholder[.]com," which resembles HaasOnline, an automatic cryptocurrency trading platform. As part of the distribution of the QTBitcoinTrader application, the website shared a 12.7MB MSI installer that pretended to be the BloxHolder software but was actually the AppleJeus malware. In October 2022, the hacking group evolved its campaign to distribute the malware using Microsoft Office documents instead of the MSI installer. The 214KB document was called 'OKX Binance & Huobi VIP fee comparison.xls' and contained a macro that created three files on the target's computer. Although Volexity researchers were unable to retrieve the final payload from the infection chain, they were able to see similarities in the DLL sideloading mechanism found in earlier MSI installer attacks, so, they are confident that this is the same attack carried out by the hackers. By using the MSI infection chain, AppleJeus creates a scheduled task and drops additional files in the "%APPDATA%/Roaming/Bloxholder" folder. In order to determine if the malware is running in a virtual machine or sandbox, the malware will send the MAC address, computer name, and operating system version via a POST request to the C2. Specifically, the "CameraSettingsUIHost[.]exe" loads the "dui70[.]dll" file, which is a "Windows DirectUI Engine", from the "System32" directory which then loads the malicious "DUser[.]dll" file from the application's directory into the "CameraSettingsUIHost[.]exe" process. The strings and API calls of AppleJeus samples have been obfuscated using a custom algorithm, which makes them stealthier. Additionally, Volexity says the reason hackers opted for chained DLL sideloading is unclear but it could be to prevent malware analysis. Although Lazarus has focused on cryptocurrency assets, the North Korean hackers remain focused on their goal of stealing digital money, constantly updating themes and improving tools to remain stealthy. The group gained recognition for hacking Sony Films in Operation Blockbuster and encrypting businesses worldwide with WannaCry in 2017.