"The usage of this domain greatly aligns with the activity we've seen from BlueNorOff in what Jamf Threat Labs tracks as the Rustbucket campaign," the security researchers said."In this campaign, the actor reaches out to a target claiming to be interested in partnering with or offering them something beneficial under the guise of an investor or head hunter. BlueNorOff often creates a domain that looks like it belongs to a legitimate crypto company in order to blend in with network activity."