State-sponsored threat actors from the Democratic People’s Republic of Korea (DPRK) have been targeting blockchain engineers of a crypto exchange platform via Discord [2]. This includes the Lazarus Group and a North Korean threat group known as Kimsuky or APT43.


The Lazarus Group [2], specifically, has been using a macOS malware called KANDYKORN to deceive victims into downloading and executing a ZIP archive that contains malicious code. This attack involves multiple stages and ultimately delivers KANDYKORN [2], an advanced implant with various capabilities for monitoring [2], interacting with [2], and evading detection [2].

In addition, Kimsuky or APT43 has resurfaced with an updated variant of an Android spyware called FastViewer [2]. This spyware disguises itself as harmless security or e-commerce apps and secretly collects sensitive data on compromised devices [1]. It spreads through phishing or smishing techniques and can download a second-stage malware called FastSpy for data collection and exfiltration [1]. The updated variant of FastViewer integrates the functionalities of FastSpy [1], eliminating the need for additional malware downloads [1] [2]. However, there have been no known cases of this variant spreading in the wild [1].


These state-sponsored threat actors pose a significant risk to blockchain engineers and crypto exchange platforms. It is crucial for organizations to be aware of the tactics used by the Lazarus Group and Kimsuky/APT43 and take appropriate measures to protect their systems and data. This includes implementing strong security measures, educating employees about phishing and smishing techniques, and regularly updating and patching software. Continued vigilance and collaboration among the cybersecurity community are essential to mitigate the impact of these threats and stay ahead of evolving attack techniques.