top of page

macOS Malware 'KandyKorn' Targeting Cryptocurrency Engineers Linked to North Korean Lazarus Group

A new macOS malware strain, named 'KandyKorn,' has emerged in a campaign attributed to the North Korean hacking group Lazarus, with a focus on targeting blockchain engineers of a cryptocurrency exchange platform. The attackers employ social engineering tactics on Discord channels to distribute malicious Python-based modules, setting off a multi-stage KandyKorn infection process.

Security firm Elastic Security identified and attributed the attacks to Lazarus based on similarities with previous campaigns, including techniques used, network infrastructure, code-signing certificates, and custom Lazarus detection rules.

The attack begins on Discord, where victims are lured into downloading a malicious ZIP archive disguised as a legitimate arbitrage bot for cryptocurrency transactions. The contained Python script launches a series of payloads, eventually delivering the final KandyKorn malware.

KandyKorn is a sophisticated backdoor designed for data theft, file manipulation, process termination, and command execution. It operates stealthily in the background, minimizing its trace on the infected system.

This discovery highlights Lazarus's ability to craft advanced and inconspicuous macOS malware, emphasizing the group's expanding threat landscape beyond Windows environments. The cryptocurrency sector remains a prime target for Lazarus, driven by financial gain rather than espionage.“The actions displayed by Lazarus Group show that the actor has no intent to slow down in their targeting of companies and individuals holding onto crypto-currency. They also continue to show that there is no shortage of new malware in their back pocket as well as familiarity with advanced attacker techniques," said Jaron Bradley, Director of Jamf Threat Labs at Jamf."We continue to see them reach out directly to victims using different chat technology. It's here they build trust before tricking them into running malicious software."



bottom of page