Skip to main content

Trick or treat? North Korean hackers target crypto experts with Kandykorn macOS malware

Security researchers have identified an attempt by state-sponsored hackers from the Democratic People’s Republic of Korea (DPRK) to infect blockchain engineers belonging to an undisclosed crypto exchange platform with a new form of macOS malware.

On October 31, Elastic Security Labs disclosed the intrusion, which uses custom and open-source capabilities for initial access and post-exploitation on Mac, all beginning with Discord…

Elastic calls this form of macOS malware “Kandykorn,” tracked as REF7001, and attributes its existence to the DPRK’s infamous cybercrime enterprise Lazarus Group after finding overlaps in the network infrastructure and techniques used.

It’s important to note that while this is a serious attack and can go undetected, it’s an extreme edge case that most people don’t have to worry about.

Lazarus hackers used Discord to impersonate blockchain engineering community members, convincing them to download and decompress a ZIP archive containing malicious Python code (Kandykorn). Meanwhile, victims believed they were installing an arbitrage bot to profit from cryptocurrency rate differences.

“Kandykorn is an advanced implant with various capabilities to monitor, interact with, and avoid detection,” researchers with Elastic stated on Tuesday. “It utilizes reflective loading, a direct-memory form of execution that may bypass detections.”

The execution flow of REF7001 consists of five stages:

  1. Initial compromise: Threat actors target blockchain engineers with the camouflaged arbitrage bot Python application called This is distributed in a .zip file titled “Cross-Platform”
  2. Network connection: If the victim successfully installs the malicious Python code, an outbound network connection is established to intermediate dropper scripts to download and execute Sugerloader.
  3. Payload: Obfuscated binary, Sugarloader, is used for initial access on the macOS system and initializes for the final stage.
  4. Persistence: Hloader, which disguises itself as the actual Discord application, now launches alongside it to establish persistence for Sugarloader.
  5. Execution: Kandykorn, capable of data access and exfiltration, awaits commands from the C2 server.

Kandykorn, the final-stage payload, is a full-featured memory resident RAT with built-in capabilities to run arbitrary commands, run additional malware, exfiltrate data, and kill processes. The macOS malware communicates with Lazarus Group hackers using command-and-control (C2) servers with RC4 data encryption.

“The actions displayed by Lazarus Group show that the actor has no intent to slow down in their targeting of companies and individuals holding onto crypto-currency,” says Jaron Bradley, Director of Jamf Threat Labs and part of the team behind the discovery of a similar form of macOS malware earlier this year.

“They also continue to show that there is no shortage of new malware in their back pocket and familiarity with advanced attacker techniques. We continue to see them reach out directly to victims using different chat technology. It’s here they build trust before tricking them into running malicious software,” Bradley states.

Kandykorn is very much still an active threat, and the tools and techniques are continuously evolving. The Elastic Security Labs technical write-up provides extensive details into this intrusion, including code snippets and screenshots.

Follow Arin: Twitter/X, LinkedIn, Threads

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel