{ "id": "a96d31e3-5b09-4ce0-850e-c9f72ba16524", "created_at": "2026-04-06T00:11:14.17612Z", "updated_at": "2026-04-10T03:38:19.603844Z", "deleted_at": null, "sha1_hash": "cb6c0447c335eb70f0a8fa7bb576f395790aabaa", "title": "Elastic catches DPRK passing out KANDYKORN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4106319, "plain_text": "Elastic catches DPRK passing out KANDYKORN\r\nBy Colson Wilhoit, Ricardo Ungureanu, Seth Goodwin, Andrew Pease\r\nPublished: 2023-11-01 · Archived: 2026-04-05 23:22:17 UTC\r\nPreamble\r\nElastic Security Labs is disclosing a novel intrusion targeting blockchain engineers of a crypto exchange platform. The\r\nintrusion leveraged a combination of custom and open source capabilities for initial access and post-exploitation.\r\nWe discovered this intrusion when analyzing attempts to reflectively load a binary into memory on a macOS endpoint. The\r\nintrusion was traced to a Python application posing as a cryptocurrency arbitrage bot delivered via a direct message on a\r\npublic Discord server.\r\nWe attribute this activity to DPRK and recognize overlaps with the Lazarus Group based on our analysis of the techniques,\r\nnetwork infrastructure, code-signing certificates, and custom Lazarus Group detection rules; we track this intrusion set as\r\nREF7001.\r\nKey takeaways\r\nThreat actors lured blockchain engineers with a Python application to gain initial access to the environment\r\nThis intrusion involved multiple complex stages that each employed deliberate defense evasion techniques\r\nThe intrusion set was observed on a macOS system where an adversary attempted to load binaries into memory,\r\nwhich is atypical of macOS intrusions\r\nExecution flow\r\nREF7001 Execution Flow\r\nAttackers impersonated blockchain engineering community members on a public Discord frequented by members of this\r\ncommunity. The attacker social-engineered their initial victim, convincing them to download and decompress a ZIP archive\r\ncontaining malicious code. The victim believed they were installing an arbitrage bot, a software tool capable of profiting\r\nfrom cryptocurrency rate differences between platforms.\r\nThis execution kicked off the primary malware execution flow of the REF7001 intrusion, culminating in KANDYKORN:\r\nStage 0 (Initial Compromise) - Watcher.py\r\nStage 1 (Dropper) - testSpeed.py and FinderTools\r\nStage 2 (Payload) - .sld and .log - SUGARLOADER\r\nStage 3 (Loader)- Discord (fake) - HLOADER\r\nStage 4 (Payload) - KANDYKORN\r\nStage 0 Initial compromise: Watcher.py\r\nThe initial breach was orchestrated via a camouflaged Python application designed and advertised as an arbitrage bot\r\ntargeted at blockchain engineers. This application was distributed as a .zip file titled Cross-Platform Bridges.zip .\r\nDecompressing it reveals a Main.py script accompanied by a folder named order_book_recorder , housing 13 Python\r\nscripts.\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 1 of 18\n\nCross-Platform Bridges.zip folder structure\r\nThe victim manually ran the Main.py script via their PyCharm IDE Python interpreter.\r\nInitially, the Main.py script appears benign. It imports the accompanying Python scripts as modules and seems to execute\r\nsome mundane functions.\r\nWhile analyzing the modules housed in the order_book_recorder folder, one file -- Watcher.py -- clearly stood out and\r\nwe will see why.\r\nMain.py acts as the initial trigger, importing Watcher.py as a module that indirectly executes the script. The Python\r\ninterpreter runs every top-level statement in Watcher.py sequentially.\r\nThe script starts off by establishing local directory paths and subsequently attempts to generate a _log folder at the\r\nspecified location. If the folder already exists, the script remains passive.\r\nCreating a folder within the Python application directory structure and name it _log\r\nThe script pre-defines a testSpeed.py file path (destined for the just created _log folder) and assigns it to the output\r\nvariable. The function import_networklib is then defined. Within it, a Google Drive URL is initialized.\r\nUtilizing the Python urllib library, the script fetches content from this URL and stashes it in the s_args variable. In case\r\nof retrieval errors, it defaults to returning the operating system's name. Subsequently, the content from Google Drive (now in\r\ns_args ) is written into the testSpeed.py file.\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 2 of 18\n\nMalicious downloader function import_networklib\r\nConnect to Google Drive url and download data saved to a variable s_args\r\nWrite data from s_args to testSpeed.py file in newly created _log directory\r\nThe next function, get_modules_base_version , probes the Python version and invokes the import_networklib function if\r\nit detects version 3. This call sets the entire sequence in motion.\r\nCheck if Python version 3, calls the import_networklib function\r\nWatcher.py imports testSpeed.py as a module, executing the contents of the script.\r\nImport testSpeed.py to execute it\r\nConcluding its operation, the malicious script tidies up, deleting the testSpeed.py file immediately after its one-time\r\nexecution.\r\nDelete the downloaded testSpeed.py file following its import and execution\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 3 of 18\n\nWatcher.py deletes the testSpeed.py immediately following its execution\r\nStage 1 droppers testSpeed.py and FinderTools\r\nWhen executed, testSpeed.py establishes an outbound network connection and fetches another Python file from a Google\r\nDrive URL, named FinderTools . This new file is saved to the /Users/Shared/ directory, with the method of retrieval\r\nmirroring the Watcher.py script.\r\ntestSpeed.py network connection\r\n_FinderTools file creation _\r\nAfter download, testSpeed.py launches FinderTools , providing a URL ( tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC ) as an argument which initiates an outbound network\r\nconnection.\r\nFinderTools execution\r\nFinderTools network connections\r\nFinderTools is yet another dropper, downloading and executing a hidden second stage payload .sld also written to the\r\n/Users/Shared/ directory.\r\nFinderTools executes .sld\r\nStage 2 payload .sld and .log: SUGARLOADER\r\nStage 2 involves the execution of an obfuscated binary we have named SUGARLOADER, which is utilized twice under two\r\nseparate names ( .sld and .log ).\r\nSUGARLOADER is first observed at /Users/shared/.sld . The second instance of SUGARLOADER, renamed to .log ,\r\nis used in the persistence mechanism REF7001 implements with Discord.\r\nObfuscation\r\nSUGARLOADER is used for initial access on the machine, and initializing the environment for the final stage. This binary\r\nis obfuscated using a binary packer, limiting what can be seen with static analysis.\r\nThe start function of this binary consists of a jump ( JMP ) to an undefined address. This is common for binary packers.\r\nHEADER:00000001000042D6 start:\r\nHEADER:00000001000042D6 jmp 0x10000681E\r\nExecuting the macOS file object tool otool -l ./log lists all the sections that will be loaded at runtime.\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 4 of 18\n\nSection\r\n sectname __mod_init_func\r\n segname lko2\r\n addr 0x00000001006983f0\r\n size 0x0000000000000008\r\n offset 4572144\r\n align 2^3 (8)\r\n reloff 0\r\n nreloc 0\r\n flags 0x00000009\r\n reserved1 0\r\n reserved2 0\r\n__mod_init_func contains initialization functions. The C++ compiler places static constructors here. This is the code used\r\nto unpack the binary in memory.\r\nA successful method of reverse engineering such files is to place a breakpoint right after the execution of initialization\r\nfunctions and then take a snapshot of the process's virtual memory. When the breakpoint is hit, the code will already be\r\ndecrypted in memory and can be analyzed using traditional methods.\r\nAdversaries commonly use obfuscation techniques such as this to bypass traditional static signature-based antimalware\r\ncapabilities. As of this publication, VirusTotal shows 0 detections of this file, which suggests these defense evasions\r\ncontinue to be cost-effective.\r\nSUGARLOADER VirusTotal Detections\r\nExecution\r\nThe primary purpose of SUGARLOADER is to connect to a Command and Control server (C2), in order to download a\r\nfinal stage payload we refer to as KANDYKORN, and execute it directly in memory.\r\nSUGARLOADER checks for the existence of a configuration file at /Library/Caches/com.apple.safari.ck . If the\r\nconfiguration file is missing, it will be downloaded and created via a default C2 address provided as a command line\r\nargument to the .sld binary. In our sample, the C2 address was 23.254.226[.]90 over TCP port 443 . We provide\r\nadditional information about the C2 in the Network Infrastructure section below.\r\nSUGARLOADER C2 established and configuration file download\r\nSUGARLOADER writing configuration file\r\nThe configuration file is encrypted using RC4 and the encryption key (in the Observations section) is hardcoded within\r\nSUGARLOADER itself. The com.apple.safari.ck file is utilized by both SUGARLOADER and KANDYKORN for\r\nestablishing secure network communications.\r\nstruct MalwareConfig\r\n{\r\n char computerId[8];\r\n _BYTE gap0[12];\r\n Url c2_urls[2];\r\n Hostname c2_ip_address[2];\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 5 of 18\n\n_BYTE proxy[200];\r\n int sleepInterval;\r\n};\r\ncomputerId is a randomly generated string identifying the victim’s computer.\r\nA C2 server can either be identified with a fully qualified URL ( c2_urls ) or with an IP address and port ( c2_ip_ddress ).\r\nIt supports two C2 servers, one as the main server, and the second one as a fallback. The specification or hardcoding of\r\nmultiple servers like this is commonly used by malicious actors to ensure their connection with the victim is persistent\r\nshould the original C2 be taken down or blocked. sleepInterval is the default sleeping interval for the malware between\r\nseparate actions.\r\nOnce the configuration file is read into memory and decrypted, the next step is to initialize a connection to the remote server.\r\nAll the communication between the victim’s computer and the C2 server is detailed in the Network Protocol section.\r\nThe last step taken by SUGARLOADER is to download a final stage payload from the C2 server and execute it. REF7001\r\ntakes advantage of a technique known as reflective binary loading (allocation followed by the execution of payloads directly\r\nwithin the memory of the process) to execute the final stage, leveraging APIs such as NSCreateObjectFileImageFromMemory\r\nor NSLinkModule . Reflective loading is a powerful technique. If you'd like to learn more about how it works, check out this\r\nresearch by slyd0g and hackd.\r\nThis technique can be utilized to execute a payload from an in-memory buffer. Fileless execution such as this has been\r\nobserved previously in attacks conducted by the Lazarus Group.\r\nSUGARLOADER reflectively loads a binary (KANDYKORN) and then creates a new file initially named appname which\r\nwe refer to as HLOADER which we took directly from the process code signature’s signing identifier.\r\nSUGARLOADER reflective binary load alert\r\nSUGARLOADER creates HLOADER\r\nHLOADER code signature identifier\r\nPseudocode for SUGARLOADER (stage2)\r\nStage 3 loader Discord: HLOADER\r\nHLOADER ( 2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1 ) is a payload that attempts to\r\nmasquerade as the legitimate Discord application. As of this writing, it has 0 detections on VirusTotal.\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 6 of 18\n\nHLOADER VirusTotal Detections\r\nHLOADER was identified through the use of a macOS binary code-signing technique that has been previously linked to the\r\nDPRK’s Lazarus Group 3CX intrusion. In addition to other published research, Elastic Security Labs has also used the\r\npresence of this technique as an indicator of DPRK campaigns, as seen in our June 2023 research publication on\r\nJOKERSPY.\r\nPersistence\r\nWe observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS,\r\nknown as execution flow hijacking. The target of this attack was the widely used application Discord. The Discord\r\napplication is often configured by users as a login item and launched when the system boots, making it an attractive target\r\nfor takeover. HLOADER is a self-signed binary written in Swift. The purpose of this loader is to execute both the legitimate\r\nDiscord bundle and .log payload, the latter of which is used to execute Mach-O binary files from memory without writing\r\nthem to disk.\r\nThe legitimate binary /Applications/Discord.app/Contents/MacOS/Discord was renamed to .lock , and replaced by\r\nHLOADER .\r\nDiscord replaced by HLOADER\r\nBelow is the code signature information for HLOADER , which has a self-signed identifier structure consistent with other\r\nLazarus Group samples.\r\nExecutable=Applications/Discord.app/Contents/MacOS/Discord\r\nIdentifier=HLOADER-5555494485b460f1e2343dffaef9b94d01136320\r\nFormat=bundle with Mach-O universal (x86_64 arm64)\r\nCodeDirectory flags=0x2(adhoc) hashes=12+7 location=embedded\r\nWhen executed, HLOADER performs the following operations:\r\nRenames itself from Discord to MacOS.tmp\r\nRenames the legitimate Discord binary from .lock to Discord\r\nExecutes both Discord and .log using NSTask.launchAndReturnError\r\nRenames both files back to their initial names\r\nHLOADER execution event chain\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 7 of 18\n\nHLOADER Discord Application Hijack\r\nThe following process tree also visually depicts how persistence is obtained. The root node Discord is actually\r\nHLOADER disguised as the legitimate app. As presented above, it first runs .lock, which is in fact Discord, and, alongside,\r\nspawns SUGARLOADER as a process named .log.\r\nProcess Tree Analyzer\r\nAs seen in stage 2, SUGARLOADER reads the configuration file, connects to the C2 server, and waits for a payload to be\r\nreceived. Another alert is generated when the new payload (KANDYKORN) is loaded into memory.\r\nReflective Dylib Load Alert for KANDYKORN\r\nStage 4 Payload: KANDYKORN\r\nKANDYKORN is the final stage of this execution chain and possesses a full-featured set of capabilities to access and\r\nexfiltrate data from the victim’s computer. Elastic Security Labs was able to retrieve this payload from one C2 server which\r\nhadn’t been deactivated yet.\r\nExecution\r\nKANDYCORN processes are forked and run in the background as daemons before loading their configuration file from\r\n/Library/Caches/com.apple.safari.ck . The configuration file is read into memory then decrypted using the same RC4\r\nkey, and parsed for C2 settings. The communication protocol is similar to prior stages using the victim ID value for\r\nauthentication.\r\nCommand and control\r\nOnce communication is established, KANDYKORN awaits commands from the server. This is an interesting characteristic\r\nin that the malware waits for commands instead of polling for commands. This would reduce the number of endpoint and\r\nnetwork artifacts generated and provide a way to limit potential discovery.\r\nEach command is represented by an integer being transmitted, followed by the data that is specific to each action. Below is a\r\nlist of the available commands KANDYKORN provides.\r\nCommand 0xD1\r\nAction: Exit command where the program gracefully exists.\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 8 of 18\n\nCommand 0xD2\r\nName: resp_basicinfo Action: Gathers information about the system such as hostname, uid, osinfo, and image path of the\r\ncurrent process, and reports back to the server.\r\nresp_basicinfo routine\r\nCommand 0xD3\r\nName: resp_file_dir Action: Lists content of a directory and format the output similar to ls -al , including type, name,\r\npermissions, size, acl, path, and access time.\r\nresp_file_dir routine\r\nCommand 0xD4\r\nName: resp_file_prop\r\nAction: Recursively read a directory and count the number of files, number of subdirectories, and total size.\r\nresp_file_prop routine\r\nCommand 0xD5\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 9 of 18\n\nName: resp_file_upload\r\nAction: Used by the adversary to upload a file from their C2 server to the victim’s computer. This command specifies a path,\r\ncreates it, and then proceeds to download the file content and write it to the victim’s computer.\r\nCommand 0xD6\r\nName: resp_file_down\r\nAction: Used by the adversary to transfer a file from the victim’s computer to their infrastructure.\r\nCommand 0xD7\r\nName: resp_file_zipdown\r\nAction: Archive a directory and exfiltrate it to the C2 server. The newly created archive’s name has the following\r\npattern /tmp/tempXXXXXXX .\r\n_resp_file_zipdown routine _\r\nCommand 0xD8\r\nName: resp_file_wipe Action: Overwrites file content to zero and deletes the file. This is a common technique used to\r\nimpede recovering the file through digital forensics on the filesystem.\r\nresp_file_wipe routine\r\nCommand 0xD9\r\nName: resp_proc_list\r\nAction: Lists all running processes on the system along with their PID, UID and other information.\r\nCommand 0xDA\r\nName: resp_proc_kill\r\nAction: Kills a process by specified PID.\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 10 of 18\n\nresp_proc_kill routine\r\nCommand 0xDB\r\nName: resp_cmd_send\r\nAction: Executes a command on the system by using a pseudoterminal.\r\nCommand 0xDC\r\nName: resp_cmd_recv\r\nAction: Reads the command output from the previous command resp_cmd_send .\r\nCommand 0xDD\r\nName: resp_cmd_create\r\nAction: Spawns a shell on the system and communicates with it via a pseudoterminal. Once the shell process is executed,\r\ncommands are read and written through the /dev/pts device.\r\nresp_cmd_create routine (interactive shell)\r\nCommand 0xDE\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 11 of 18\n\nName: resp_cfg_get\r\nAction: Sends the current configuration to the C2 from /Library/Caches/com.apple.safari.ck .\r\nCommand 0xDF\r\nName: resp_cfg_set\r\nAction: Download a new configuration file to the victim’s machine. This is used by the adversary to update the C2 hostname\r\nthat should be used to retrieve commands from.\r\nCommand 0xE0\r\nName: resp_sleep\r\nAction: Sleeps for a number of seconds.\r\nSummary\r\nKANDYKORN is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It\r\nutilizes reflective loading, a direct-memory form of execution that may bypass detections.\r\nNetwork protocol\r\nAll the executables that communicate with the C2 (both stage 3 and stage 4) are using the same protocol. All the data is\r\nencrypted with RC4 and uses the same key previously referenced in the configuration file.\r\nBoth samples implement wrappers around the send-and-receive system calls. It can be observed in the following pseudocode\r\nthat during the send routine, the buffer is first encrypted and then sent to the socket, whereas when data is received it is first\r\ndecrypted and then processed.\r\nsend routine\r\nrecv routine\r\nWhen the malware first connects to the C2 during the initialization phase, there is a handshake that needs to be validated in\r\norder to proceed. Should the handshake fail, the attack would stop and no other commands would be processed.\r\nOn the client side, a random number is generated and sent to the C2, which replies with a nonce variable. The client then\r\ncomputes a challenge with the random number and the received nonce and sends the result back to the server. If the\r\nchallenge is successful and the server accepts the connection, it replies with a constant such as 0x41C3372 which appears in\r\nthe analyzed sample.\r\nHandshake routine\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 12 of 18\n\nOnce the connection is established, the client sends its ID and awaits commands from the server. Any subsequent data sent\r\nor received from here is serialized following a common schema used to serialize binary objects. First, the length of the\r\ncontent is sent, then the payload, followed by a return code which indicates if any error occurred.\r\nOverview of communication protocol\r\nNetwork infrastructure\r\nDuring REF7001, the adversary was observed communicating with network infrastructure to collect various payloads and\r\nloaders for different stages of the intrusion.\r\nAs detailed in the Stage 1 section above, the link to the initial malware archive, Cross-Platform Bridges.zip , was\r\nprovided in a direct message on a popular blockchain Discord server. This archive was hosted on a Google Drive\r\n( https://drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2 ), but this was removed shortly after the\r\narchive was downloaded.\r\nThroughout the analysis of the REF7001 intrusion, there were two C2 servers observed.\r\ntp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC\r\n23.254.226[.]90\r\ntp-globa[.]xyz\r\nThe C2 domain tp-globa[.]xyz is used by FinderTools to download SUGARLOADER and is likely an attempt at\r\ntyposquatting a legitimate foreign exchange market broker. We do not have any information to indicate that the legitimate\r\ncompany is involved in this intrusion. This typosquatted domain was likely chosen in an attempt to appear more legitimate\r\nto the victims of the intrusion.\r\ntp-globa[.]xyz , as of this writing, resolves to an IP address ( 192.119.64[.]43 ) that has been observed distributing\r\nmalware attributed to the DPRK’s Lazarus Group (1, 2, 3).\r\n23.254.226[.]90\r\n23.254.226[.]90 is the C2 IP used for the .sld file (SUGARLOADER malware). How this IP is used for C2 is highlighted\r\nin the stage 2 section above.\r\nOn October 14, 2023, 23.254.226[.]90 was used to register the subdomain, pesnam.publicvm[.]com . While we did not\r\nobserve this domain in our intrusion, it is documented as hosting other malicious software.\r\nCampaign intersections\r\ntp-globa[.]xyz , has a TLS certificate with a Subject CN of bitscrunnch.linkpc[.]net . The domain\r\nbitscrunnch.linkpc[.]net has been attributed to other Lazarus Group intrusions.\r\nAs noted above, this is likely an attempt to typosquat a legitimate domain for a decentralized NFT data platform. We do not\r\nhave any information to indicate that the legitimate company is involved in this intrusion.\r\n…\r\nIssuer: C = US, O = Let's Encrypt, CN = R3\r\nValidity\r\nNot Before: Sep 20 12:55:37 2023 GMT\r\nNot After : Dec 19 12:55:36 2023 GMT\r\nSubject: CN = bitscrunnch[.]linkpc[.]net\r\n…\r\nThe bitscrunnch.linkpc[.]net ’s TLS certificate is also used for other additional domains, all of which are registered to\r\nthe same IP address reported above in the tp-globa[.]xyz section above, 192.119.64[.]43 .\r\njobintro.linkpc[.]net\r\njobdescription.linkpc[.]net\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 13 of 18\n\ndocsenddata.linkpc[.]net\r\ndocsendinfo.linkpc[.]net\r\ndatasend.linkpc[.]net\r\nexodus.linkpc[.]net\r\nbitscrunnch.run[.]place\r\ncoupang-networks[.]pics\r\nWhile LinkPC is a legitimate second-level domain and dynamic DNS service provider, it is well-documented that this\r\nspecific service is used by threat actors for C2. In our published research into RUSTBUCKET, which is also attributed to the\r\nDPRK, we observed LinkPC being used for C2.\r\nAll registered domains, 48 as of this writing, for 192.119.64[.]43 are included in the observables bundle.\r\nFinally, in late July 2023, there were reports on the Subreddits r/hacking, r/Malware, and r/pihole with URLs that matched\r\nthe structure of tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC . The user on Reddit reported that\r\na recruiter contacted them to solve a Python coding challenge as part of a job offer. The code challenge was to analyze\r\nPython code purported to be for an internet speed test. This aligns with the REF7001 victim’s reporting on being offered a\r\nPython coding challenge and the script name testSpeed.py detailed earlier in this research.\r\nThe domain reported on Reddit was group.pro-tokyo[.]top//OcRLY4xsFlN/vMZrXIWONw/6OyCZl89HS/fP7savDX6c/bfC\r\nwhich follows the same structure as the REF7001 URL ( tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC ):\r\nTwo // ’s after the TLD\r\n5 subdirectories using an //11-characters/10-characters/10-characters/ structure\r\nThe last 2 subdirectories were /fP7savDX6c/bfC\r\nWhile we did not observe GitHub in our intrusion, the Redditors who reported this did observe GitHub profiles being used.\r\nThey have all been deactivated.\r\nThose accounts were:\r\nhttps://github[.]com/Prtof\r\nhttps://github[.]com/wokurks\r\nSummary\r\nThe DPRK, via units like the LAZARUS GROUP, continues to target crypto-industry businesses with the goal of stealing\r\ncryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions. In this\r\nintrusion, they targeted blockchain engineers active on a public chat server with a lure designed to speak to their skills and\r\ninterests, with the underlying promise of financial gain.\r\nThe infection required interactivity from the victim that would still be expected had the lure been legitimate. Once executed,\r\nvia a Python interpreter, the REF7001 execution flow went through 5 stages:\r\nStage 0 (staging) - Main.py executes Watcher.py as an imported module. This script checks the Python version,\r\nprepares the local system directories, then downloads, executes, and cleans up the next stage.\r\nStage 1 (generic droppers) - testSpeed.py and FinderTools are intermediate dropper Python scripts that\r\ndownload and execute SUGARLOADER.\r\nStage 2 (SUGARLOADER) - .sld and .log are Mach-O executable payloads that establish C2, write the\r\nconfiguration file and reflectively load KANDYKORN.\r\nStage 3 (HLOADER) - HLOADER / Discord (fake) is a simple loader used as a persistence mechanism masquerading\r\nas the legitimate Discord app for the loading of SUGARLOADER.\r\nStage 4 (KANDYKORN) - The final reflectively loaded payload. KANDYKORN is a full-featured memory resident\r\nRAT with built-in capabilities to:\r\nConduct encrypted command and control\r\nConduct system enumeration\r\nUpload and execute additional payloads\r\nCompress and exfil data\r\nKill processes\r\nRun arbitrary system commands through an interactive pseudoterminal\r\nElastic traced this campaign to April 2023 through the RC4 key used to encrypt the SUGARLOADER and KANDYKORN\r\nC2. This threat is still active and the tools and techniques are being continuously developed.\r\nThe Diamond Model\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 14 of 18\n\nElastic Security utilizes the Diamond Model to describe high-level relationships between adversaries, capabilities,\r\ninfrastructure, and victims of intrusions. While the Diamond Model is most commonly used with single intrusions, and\r\nleveraging Activity Threading (section 8) as a way to create relationships between incidents, an adversary-centered (section\r\n7.1.4) approach allows for an, although cluttered, single diamond.\r\nREF7001 Diamond Model\r\n[Malware] and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats used against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nExecution\r\nPersistence\r\nDefense Evasion\r\nDiscovery\r\nCollection\r\nCommand and Control\r\nExfiltration\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nUser Execution: Malicious File\r\nCommand and Scripting Interpreter: Python\r\nCommand and Scripting Interpreter: Unix Shell\r\nHijack Execution Flow\r\nDeobfuscate/Decode Files or Information\r\nHide Artifacts: Hidden Files and Directories\r\nIndicator Removal: File Deletion\r\nMasquerading: Match Legitimate Name or Location\r\nObfuscated Files or Information: Software Packing\r\nReflective Code Loading\r\nFile and Directory Discovery\r\nProcess Discovery\r\nSystem Information Discovery\r\nArchive Collected Data: Archive via Custom Method\r\nLocal Data Staging\r\nApplication Layer Protocol: Web Protocols\r\nFallback Channels\r\nIngress Tool Transfer\r\nExfiltration Over C2 Channel\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 15 of 18\n\nMalware prevention capabilities\r\nMacOS.Trojan.SUGARLOADER\r\nMacOS.Trojan.HLOADER\r\nMacOS.Trojan.KANDYKORN\r\nMalware detection capabilities\r\nHunting queries\r\nThe events for EQL are provided with the Elastic Agent using the Elastic Defend integration. Hunting queries could return\r\nhigh signals or false positives. These queries are used to identify potentially suspicious behavior, but an investigation is\r\nrequired to validate the findings.\r\nEQL queries\r\nUsing the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below EQL\r\nqueries to hunt for similar behaviors.\r\nThe following EQL query can be used to identify when a hidden executable creates and then immediately deletes a file\r\nwithin a temporary directory:\r\nsequence by process.entity_id, file.path with maxspan=30s\r\n [file where event.action == \"modification\" and process.name : \".*\" and\r\n file.path : (\"/private/tmp/*\", \"/tmp/*\", \"/var/tmp/*\")]\r\n [file where event.action == \"deletion\" and process.name : \".*\" and\r\n file.path : (\"/private/tmp/*\", \"/tmp/*\", \"/var/tmp/*\")]\r\nThe following EQL query can be used to identify when a hidden file makes an outbound network connection followed by\r\nthe immediate download of an executable file:\r\nsequence by process.entity_id with maxspan=30s\r\n[network where event.type == \"start\" and process.name : \".*\"]\r\n[file where event.action != \"deletion\" and file.Ext.header_bytes : (\"cffaedfe*\", \"cafebabe*\")]\r\nThe following EQL query can be used to identify when a macOS application binary gets renamed to a hidden file name\r\nwithin the same directory:\r\nfile where event.action == \"rename\" and file.name : \".*\" and\r\n file.path : \"/Applications/*/Contents/MacOS/*\" and\r\n file.Ext.original.path : \"/Applications/*/Contents/MacOS/*\" and\r\n not startswith~(file.Ext.original.path,Effective_process.executable)\r\nThe following EQL query can be used to identify when an IP address is supplied as an argument to a hidden executable:\r\nsequence by process.entity_id with maxspan=30s\r\n[process where event.type == \"start\" and event.action == \"exec\" and process.name : \".*\" and process.args regex~ \"[0-9]{1,3\r\n[network where event.type == \"start\"]\r\nThe following EQL query can be used to identify the rename or modification of a hidden executable file within the\r\n/Users/Shared directory or the execution of a hidden unsigned or untrusted process in the /Users/Shared directory:\r\nany where\r\n (\r\n (event.category : \"file\" and event.action != \"deletion\" and file.Ext.header_bytes : (\"cffaedfe*\", \"cafebabe*\") and\r\n file.path : \"/Users/Shared/*\" and file.name : \".*\" ) or\r\n (event.category : \"process\" and event.action == \"exec\" and process.executable : \"/Users/Shared/*\" and\r\n (process.code_signature.trusted == false or process.code_signature.exists == false) and process.name : \".*\")\r\n )\r\nThe following EQL query can be used to identify when a URL is supplied as an argument to a python script via the\r\ncommand line:\r\nsequence by process.entity_id with maxspan=30s\r\n[process where event.type == \"start\" and event.action == \"exec\" and\r\n process.args : \"python*\" and process.args : (\"/Users/*\", \"/tmp/*\", \"/var/tmp/*\", \"/private/tmp/*\") and process.args : \"ht\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 16 of 18\n\nprocess.args_count \u0026lt;= 3 and\r\n not process.name : (\"curl\", \"wget\")]\r\n[network where event.type == \"start\"]\r\nThe following EQL query can be used to identify the attempt of in memory Mach-O loading specifically by looking for the\r\npredictable temporary file creation of \"NSCreateObjectFileImageFromMemory-*\":\r\nfile where event.type != \"deletion\" and\r\nfile.name : \"NSCreateObjectFileImageFromMemory-*\"\r\nThe following EQL query can be used to identify the attempt of in memory Mach-O loading by looking for the load of the\r\n\"NSCreateObjectFileImageFromMemory-*\" file or a load with no dylib name provided:\r\nany where ((event.action == \"load\" and not dll.path : \"?*\") or\r\n (event.action == \"load\" and dll.name : \"NSCreateObjectFileImageFromMemory*\"))\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the payloads:\r\nMacOS.Trojan.SUGARLOADER\r\nMacOS.Trojan.HLOADER\r\nMacOS.Trojan.KANDYKORN\r\nObservations\r\nAll observables are also available for download in both ECS and STIX format.\r\nThe following observables were discussed in this research.\r\nObservable Ty\r\n3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940\r\nSH\r\n25\r\n2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1\r\nSH\r\n25\r\n927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6\r\nSH\r\n25\r\nhttp://tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC url\r\ntp-globa[.]xyz\r\ndo\r\nna\r\n192.119.64[.]43\r\nipv\r\nad\r\n23.254.226[.]90\r\nipv\r\nad\r\nD9F936CE628C3E5D9B3695694D1CDE79E470E938064D98FBF4EF980A5558D1C90C7E650C2362A21B914ABD173ABA5C0E5837C47B89F74C5B23A7294CC1CFD11B\r\n64\r\nke\r\nReferences\r\nThe following were referenced throughout the above research:\r\nThe DPRK strikes using a new variant of RUSTBUCKET — Elastic Security Labs\r\nhttps://x.com/tiresearch1/status/1708141542261809360\r\nhttps://www.reddit.com/r/hacking/comments/15b4uti/comment/jtprebt/\r\nLooks like a try to steel some data : r/Malware\r\nhttps://www.reddit.com/r/pihole/comments/15d11do/malware_project_mimics_pihole/jtzmpqh/\r\nLazarus Group Goes 'Fileless'\r\nUnderstanding and Defending Against Reflective Code Loading on macOS | by Justin Bui\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 17 of 18\n\nmacOS reflective code loading analysis · hackd\r\nSource: https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn" ], "report_names": [ "elastic-catches-dprk-passing-out-kandykorn" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434274, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb6c0447c335eb70f0a8fa7bb576f395790aabaa.pdf", "text": "https://archive.orkl.eu/cb6c0447c335eb70f0a8fa7bb576f395790aabaa.txt", "img": "https://archive.orkl.eu/cb6c0447c335eb70f0a8fa7bb576f395790aabaa.jpg" } }