macOS Users Beware: North Korean Hackers On the Prowl

In a recent revelation, Elastic Security Labs has uncovered a sophisticated cyber intrusion by North Korean hackers believed to be associated with the Lazarus group.

This incident, tracked as REF7001, involved the use of a new macOS malware named Kandykorn, which has been specifically designed to target blockchain engineers involved in cryptocurrency exchange platforms.

North Korean Hackers Target Crypto Engineers with Discord-Distributed Malware

Elastic Security Labs has exposed a sophisticated cyber intrusion by North Korean hackers believed to be associated with the notorious Lazarus Group. This incident, which targeted blockchain engineers involved in cryptocurrency exchange platforms, utilized a deceptive Python program masquerading as a cryptocurrency arbitrage bot.

What sets this attack apart is its distribution method: the attackers distributed the malware through a private message on a public Discord server, which is atypical of macOS intrusion tactics.

“The victim believed they were installing an arbitrage bot, a software tool capable of profiting from cryptocurrency rate differences between platforms,” explained the researchers at Elastic Security Labs.

After installation, the Kandykorn malware initiates communication with a command-and-control (C2) server, utilizing encrypted RC4 and implementing a distinct handshake mechanism. Instead of actively polling for commands, it patiently awaits them. This sophisticated method enables hackers to retain control over the compromised systems discreetly.

Kandykorn Malware Tactics Reveal Ties to Lazarus Group

Elastic Security Labs has provided valuable insights into the capabilities of Kandykorn, showcasing its proficiency in performing file upload and download, process manipulation, and execution of arbitrary system commands. Of particular concern is its utilization of reflective binary loading, a fileless execution technique associated with the notorious Lazarus Group. The Lazarus Group is renowned for its involvement in cryptocurrency theft and evasion of international sanctions.

Furthermore, there is compelling evidence linking this attack to the Lazarus Group in North Korea. The similarity in techniques, network infrastructure, certificates used to sign malicious software, and custom methods for detecting Lazarus Group activities all point towards their involvement.

Additionally, on-chain transactions have revealed connections between security breaches at Atomic Wallet, Alphapo, CoinsPaid,, and CoinEx. These connections further prove the Lazarus Group’s participation in these exploits.

In a separate recent incident, the Lazarus Group attempted to compromise Apple computers running macOS by deceiving users into downloading a crypto trading app from GitHub. Once the unsuspecting users installed the software and granted it administrative access, the attackers gained a backdoor entry into the operating system, allowing for remote access.

By delving into these details, Elastic Security Labs has shed light on the sophisticated tactics employed by the Lazarus Group, emphasizing the importance of robust cybersecurity measures to safeguard against such threats.


Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).

PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO50 code to receive up to $7,000 on your deposits.

Leave a Comment

Your email address will not be published. Required fields are marked *

Please enter Coingecko Free Api Key to get this plugin works
Scroll to Top