{
	"id": "90afb36c-25e0-452a-95a3-62712b65c61a",
	"created_at": "2026-04-06T00:12:59.509614Z",
	"updated_at": "2026-04-10T13:11:21.343278Z",
	"deleted_at": null,
	"sha1_hash": "ef7db37bc011fea9853410fdc8938b9a0b789300",
	"title": "Jamf Threat Labs observes targeted attacks amid FBI Warnings",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1581865,
	"plain_text": "Jamf Threat Labs observes targeted attacks amid FBI Warnings\r\nBy Jamf Threat Labs\r\nArchived: 2026-04-05 17:39:33 UTC\r\nOn September 3, 2024 the Federal Bureau of Investigations (FBI) released a public service announcement set to\r\nwarn those in the Crypto Industry that the Democratic People's Republic of Korea (\"DPRK\" aka North Korea) has\r\nbeen targeting individuals by using clever social engineering techniques for the successful delivery of malware.\r\nAuthors: Jaron Bradley and Ferdous Saljooki\r\nThe DPRK has a long history of acquiring financial gains through creative and illicit means. Over the years, a\r\nsignificant portion of these financial gains has come from successful cyberattacks. As mentioned by the FBI’s\r\npublic service announcement, specific individuals within crypto companies are being targeted.\r\nAs part of Jamf's ongoing research, Jamf Threat Labs had been proactively monitoring attacks that closely aligned\r\nwith these warnings. Below, we provide detailed insights into the nature of these attacks in order to provide others\r\nwith the knowledge needed to better identify and mitigate potential threats. The majority of attacks begin with an\r\nindividual reaching out over a social media platform leading to the delivery of malware in some manner.\r\nSocial engineering\r\nHumans have long been considered the weakest link in the cybersecurity chain, and attackers continue to exploit\r\nthis vulnerability through increasingly sophisticated social engineering tactics. Social engineering schemes often\r\ntarget individuals through professional networking platforms, making users the first line of defense but also the\r\nmost vulnerable.\r\nPer the FBI announcement:\r\nhttps://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/\r\nPage 1 of 6\n\nBefore initiating contact, the actors scout prospective victims by reviewing social media activity,\r\nparticularly on professional networking or employment-related platforms.\r\nJamf Threat Labs noted an attack attempt in which a user was contacted on LinkedIn by an individual claiming to\r\nbe a recruiter on the HR team at a tech company that specializes in decentralized finance.\r\nLinkedIn profile impersonating an HR professional and used to contact potential victims\r\nNote at the bottom of the image that this profile has 0 followers which can be a good indicator that this account\r\nwas created recently. Much of this profile and the techniques used align with further documentation within the FBI\r\nannouncement.\r\n“The actors may also impersonate recruiting firms or technology companies backed by professional websites\r\ndesigned to make the fake entities appear legitimate.”\r\nhttps://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/\r\nPage 2 of 6\n\nAlthough we are unfamiliar with the website ston.fi and can’t speak to its legitimacy, the recruiter claiming to\r\nwork there is clearly meant to capture the target's interest.\r\nCode execution attempts\r\nThe FBI announcement goes on to document a number of ways in which the fraud recruiter might convince a user\r\nto install malware. An attack scenario observed by Jamf Threat Labs was closest to that of bullet point two from\r\nthe writeup.\r\nRequests to conduct a \"pre-employment test\" or debugging exercise that involves executing non-standard\r\nor unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.\r\nIn the observed scenario, the recruiter sent a zipped coding challenge to the target\r\n(51a88646f9770e09b3505bd5cbadc587abb952ba), which is considered to be a fairly common step in the\r\nscreening processes of a modern day development role. This coding challenge came in the form of a Visual Studio\r\nproject that has the developer focus on converting Slack messages to CSV format in C#. However, buried within\r\ntwo separate csproj files are malicious bash commands that both download a second stage payload. The two csproj\r\nfiles can be seen at the following locations:\r\nThe following bash commands will execute upon building the project:\r\nBoth scripts change their root directory and then download a second stage payload via curl from\r\ntaurihostmetrics[.]com.\r\nEach payload is marked as executable and then hidden before being run. These two executables are both stage two\r\nmalware. VisualStudioHelper communicates with wiresapplication[.]com while zsh_env communicates with\r\njuchesoviet48[.]com.\r\nThe stage two malware that is dropped by the coding challenge is tracked by Jamf Threat Labs under the name\r\nThiefbucket but is known to some as “Rustdoor.” Jamf Threat Labs has always attributed this malware to the\r\nongoing DPRK activity due to the stage one techniques and the manner in which they are delivered to their\r\ntargets.\r\nStage two: comparison of configuration\r\nAs mentioned in the above section, two executables were downloaded and executed by the fake coding challenge.\r\nThese two executables are nearly identical in functionality. What primarily sets them apart is their embedded\r\nconfigurations.\r\nhttps://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/\r\nPage 3 of 6\n\nThe config files embedded within the two separate malware samples shows that the VisualStudioHelper will\r\npersist via cron while zsh_env will persist via the zshrc file.\r\nFurther down, line 19 shows that VisualStudioHelper has a configuration setting called “files” set to true. This\r\nsetting will cause the malware to act as an infostealer by grabbing a number of different files specified further\r\ndown in the config. In order to acquire some of the most valuable files, infostealers often require further\r\npermissions. These permissions are obtained by the malware via a popup window. This prompt is also defined\r\nwithin the config file.\r\nThe above excerpt shows a portion of the config within the VisualStudioHelper payload that will cause the\r\nmalware to prompt the user for their password using a prompt window that is tailored to look as though it\r\noriginated from Visual Studio. Given that this prompt is displayed at the same time the project is built, the user\r\nmay be more likely to think nothing of it and enter their password.\r\nhttps://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/\r\nPage 4 of 6\n\nThe other stage two malware that is downloaded (zsh_env) simply sets up persistence via the .zshrc configuration.\r\nThis ensures that any time the user opens a zsh shell moving forward, the malware will also be executed. This is a\r\ntechnique that likely ends up being reliable given the attacker knows they’re targeting a developer who will likely\r\nuse the Terminal, again causing the backdoor to be run in the background.\r\nIn summary: both payloads are highly similar. The difference between the two is:\r\n1. VisualStudioHelper acts as an automated infostealer, can operate as a standard backdoor when invoked by\r\ncron and communicates with wiresapplication[.]com.\r\n2. zsh_env operates as a backdoor, does not automate any of the infostealer functionality, persists via the\r\nzshrc config file, and uses a command and control server at juchesoviet48[.]com.\r\nStage two capabilities and updates\r\nSince its original discovery, Thiefbucket has held the following capabilities:\r\nAutomation of infostealer-like logic\r\nDownload files\r\nUpload files\r\nKill processes\r\nDelete files and directories\r\nSleep\r\nQuickly search indexed files using Spotlight\r\nAbility to self delete\r\nAbility to run shell commands\r\nAbility to prompt the user with dialog boxes\r\nAbility to persist via LaunchAgent, cron, dock, and zshrc profiles.\r\nThe malware has a handful of differences from its first appearance, most notably the executable that was\r\noriginally written in Rust seems to have been re-created in Objective-C.\r\nJamf Threat Labs continues to investigate the differences in features, but at a first glance they appear to be minor.\r\nThe help page for the malware has been updated with a handful of new arguments. Most of these appear to be\r\nways to run or test the embedded config features. We’ve marked the new available arguments below with\r\nasterisks.\r\nIt’s worth noting that the VisualStudioHelper payload makes use of the --dialog argument when it prompts the\r\nuser for their password.\r\nWhen testing the --bin argument, we observed that Thiefbucket will add the supplied binary path to the zshrc\r\nfile before deleting itself.\r\nConclusion\r\nThreat actors continue to remain vigilant in finding new ways to pursue those in the crypto industry. Jamf Threat\r\nLabs has seen attacks in line with the FBI warning that went out this month. It’s important to train your\r\nhttps://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/\r\nPage 5 of 6\n\nemployees, including your developers, to be hesitant to trust those who connect on social media and ask users to\r\nrun software of any type. These social engineering schemes performed by the DPRK come from those who are\r\nwell-versed in English and enter the conversation having well researched their target. We recommend reading the\r\npublic service announcement for a list of mitigations and best practices.\r\nSource: https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/\r\nhttps://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/"
	],
	"report_names": [
		"jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434379,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef7db37bc011fea9853410fdc8938b9a0b789300.pdf",
		"text": "https://archive.orkl.eu/ef7db37bc011fea9853410fdc8938b9a0b789300.txt",
		"img": "https://archive.orkl.eu/ef7db37bc011fea9853410fdc8938b9a0b789300.jpg"
	}
}