N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection

Nov 28, 2023NewsroomMalware / Cyber Espionage

macOS Malware

The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed “mixing and matching” different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN.

The findings come from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign.

RustBucket refers to an activity cluster linked to the Lazarus Group in which a backdoored version of a PDF reader app, dubbed SwiftLoader, is used as a conduit to load a next-stage malware written in Rust upon viewing a specially crafted lure document.


The KANDYKORN campaign, on the other hand, refers to a malicious cyber operation in which blockchain engineers of an unnamed crypto exchange platform were targeted via Discord to initiate a sophisticated multi-stage attack sequence that led to the deployment of the eponymous full-featured memory resident remote access trojan.

The third piece of the attack puzzle is ObjCShellz, which Jamf Threat Labs revealed earlier this month as a later-stage payload that acts as a remote shell that executes shell commands sent from the attacker server.

macOS Malware

Further analysis of these campaigns by SentinelOne has now shown that the Lazarus Group is utilizing SwiftLoader to distribute KANDYKORN, corroborating a recent report from Google-owned Mandiant about how different hacker groups from North Korea are increasingly borrowing each other’s tactics and tools.

“The DPRK’s cyber landscape has evolved to a streamlined organization with shared tooling and targeting efforts,” Mandiant noted. “This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability.”


This includes the use of new variants of the SwiftLoader stager that purports to be an executable named EdoneViewer but, in reality, contacts an actor-controlled domain to likely retrieve the KANDYKORN RAT based on overlaps in infrastructure and the tactics employed.

The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) implicated Andariel – a subgroup within Lazarus – to cyber attacks exploiting a security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) to install NukeSped and TigerRAT backdoors.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.