North Korean APT groups [1] [3] [5] [6] [8] [9], including Lazarus and BlueNoroff [9], have recently intensified their targeting of macOS in their campaigns. This includes two major campaigns in 2023 called RustBucket and KandyKorn [7], which aim to attack cryptocurrency exchanges and financial institutions to raise funds for the Kim Jong Un regime [5] [9]. These campaigns have now adopted a mix-and-match approach, blending elements of software from both RustBucket and KandyKorn, in order to confuse victims and researchers and evade detection.


The attackers are employing a tactic of switching loaders and other code between the KandyKorn and RustBucket malware, making it difficult to identify their activities. Researchers have discovered different variations of the malware [9], including the KandyKorn remote access Trojan (RAT) and the RustBucket malware using a reverse shell called “ObjCShellz.” Additionally [9], the attackers are utilizing different loaders and payloads [9], such as the SwiftLoader and SecurePDF Viewer [9], to deploy the malware [9]. The reuse of shared infrastructure by North Korean threat actors has allowed researchers to uncover fresh indicators of compromise.

To assist potential victims in identifying if they have been compromised [9], cybersecurity company SentinelOne has provided a list of indicators of compromise (IoCs) [9]. Mac users are advised to exercise caution with file sources, avoid opening documents from untrustworthy sources [7], and keep their security patches up to date.

This trend of North Korean hacker groups borrowing tactics and tools from each other poses a challenge for defenders attempting to track and attribute their activities. It highlights the need for a deeper understanding of North Korean-linked threat actors and the discovery of new indicators [4].

Furthermore, the Lazarus Group [1] [3] [6], a North Korean hacking group [1] [3] [6], has been using a compromised PDF reader app called SwiftLoader to load the Rust-based malware [6]. The KandyKorn campaign specifically targets blockchain engineers through Discord and deploys a full-featured memory resident remote access trojan [1] [6]. Andariel [6], a subgroup within Lazarus [6], has been linked by the AhnLab Security Emergency Response Center to cyber attacks exploiting a security flaw in Apache ActiveMQ to install backdoors [6]. SentinelOne has also linked a third macOS-specific malware called ObjCShellz to the RustBucket campaign [1] [2] [3] [8], indicating a sophisticated approach by North Korean APTs in their use of macOS malware [8].


The increasing focus of North Korean APT groups on macOS poses a significant threat to cryptocurrency exchanges and financial institutions. It is crucial for Mac users to remain vigilant and follow recommended security practices to protect themselves. The ongoing borrowing of tactics and tools among North Korean hacker groups makes it challenging for defenders to track and attribute their activities. Continued research and understanding of these threat actors, as well as the discovery of new indicators, are essential for effective defense against their attacks.