Home Cyber Security N. Korean Hackers ‘Mixing’ macOS Malware Ways to Evade Detection

N. Korean Hackers ‘Mixing’ macOS Malware Ways to Evade Detection

N. Korean Hackers ‘Mixing’ macOS Malware Ways to Evade Detection


Nov 28, 2023NewsroomMalware / Cyber Espionage

macOS Malware

The North Korean menace actors behind macOS malware strains similar to RustBucket and KANDYKORN have been noticed “mixing and matching” completely different parts of the 2 disparate assault chains, leveraging RustBucket droppers to ship KANDYKORN.

The findings come from cybersecurity agency SentinelOne, which additionally tied a 3rd macOS-specific malware known as ObjCShellz to the RustBucket marketing campaign.

RustBucket refers to an exercise cluster linked to the Lazarus Group wherein a backdoored model of a PDF reader app, dubbed SwiftLoader, is used as a conduit to load a next-stage malware written in Rust upon viewing a specifically crafted lure doc.


The KANDYKORN marketing campaign, alternatively, refers to a malicious cyber operation wherein blockchain engineers of an unnamed crypto change platform had been focused through Discord to provoke a complicated multi-stage assault sequence that led to the deployment of the eponymous full-featured reminiscence resident distant entry trojan.

The third piece of the assault puzzle is ObjCShellz, which Jamf Menace Labs revealed earlier this month as a later-stage payload that acts as a distant shell that executes shell instructions despatched from the attacker server.

macOS Malware

Additional evaluation of those campaigns by SentinelOne has now proven that the Lazarus Group is using SwiftLoader to distribute KANDYKORN, corroborating a latest report from Google-owned Mandiant about how completely different hacker teams from North Korea are more and more borrowing one another’s techniques and instruments.

“The DPRK’s cyber panorama has advanced to a streamlined group with shared tooling and focusing on efforts,” Mandiant famous. “This versatile method to tasking makes it troublesome for defenders to trace, attribute, and thwart malicious actions, whereas enabling this now collaborative adversary to maneuver stealthily with better velocity and flexibility.”


This contains using new variants of the SwiftLoader stager that purports to be an executable named EdoneViewer however, in actuality, contacts an actor-controlled area to seemingly retrieve the KANDYKORN RAT primarily based on overlaps in infrastructure and the techniques employed.

The disclosure comes because the AhnLab Safety Emergency Response Heart (ASEC) implicated Andariel – a subgroup inside Lazarus – to cyber assaults exploiting a safety flaw in Apache ActiveMQ (CVE-2023-46604, CVSS rating: 10.0) to put in NukeSped and TigerRAT backdoors.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.


Supply hyperlink


Please enter your comment!
Please enter your name here