Reportseverity: High2023-11-01
Elastic Security Labs exposes KANDYKORN macOS intrusion at crypto exchange
published by Elastic Security Labs
Actor
DPRK state-sponsored intrusion set treated by most vendors as the financial-operations subgroup of Lazarus, attributed to the Reconnaissance General Bureau. Responsible for the major SWIFT-network ba…
Summary
Elastic Security Labs published 'Elastic catches DPRK passing out KANDYKORN,' describing a Lazarus-cluster intrusion (tracked as REF7001) against blockchain engineers at a cryptocurrency exchange. Operators impersonated community members on Discord and delivered a Python 'arbitrage bot' that staged the SUGARLOADER and HLOADER components and ultimately deployed the KANDYKORN backdoor for remote command execution and file operations.
Tags
macoskandykorncryptocurrencydiscord
Primary source
elastic.coOther BlueNoroff events
- 2023-04-21Jamf Threat Labs discloses RustBucket macOS malware tied to BlueNoroff
- 2022-04-18CISA/FBI/Treasury joint advisory AA22-108A on TraderTraitor
- 2022-01-13Kaspersky exposes SnatchCrypto campaign draining cryptocurrency startups
- 2017-04-03Securelist 'Lazarus Under the Hood' details Bangladesh Bank SWIFT heist