top of page

North Korea based macOS Targeted Exploits using Weaponized Documents

In the dynamic landscape of cybersecurity, a worrisome trend has surfaced with North Korean hackers setting their sights on MacOS, employing the deployment of weaponized documents. This method involves embedding malicious code within seemingly innocuous files, presenting a powerful means of exploiting software vulnerabilities, enabling unauthorized access, and delivering damaging malware. Recent insights from cybersecurity researchers at SentinelOne bring attention to two significant campaigns orchestrated by North Korean threat actors: RustBucket and KandyKorn.





The RustBucket campaign used a sneaky trick by disguising their malware as a harmless PDF Viewer called 'SwiftLoader.' Once unsuspecting users fell for it, they ended up with a second-stage malware written in Rust. Meanwhile, the KandyKorn campaign took a different route, targeting blockchain engineers with Python scripts. These scripts delivered a C++ backdoor RAT called 'KandyKorn.' The attackers went all out, tricking Discord users into downloading a seemingly innocent Python app disguised as a crypto arbitrage bot.


The attack unfolded in stages, with users unknowingly downloading the malicious 'Cross-Platform Bridges.zip' file. The attackers then checked the Python versions, ran FinderTools, deployed SUGARLOADER, and set up stealthy persistence mechanisms. They even went so far as to replace genuine Discord components to ensure continuous undetected execution. To make things more convincing, they used Swift-based applications like 'SecurePDF Viewer.app,' signed by seemingly legitimate entities such as "BBQ BAZAAR PRIVATE LIMITED" and "Northwest Tech-Con Systems Ltd."


These MacOS-targeted attacks go beyond just getting into systems; they highlight the urgent need for vigilance against cyber threats. Both individual users and specific industries, like blockchain, found themselves under attack. As these threats keep evolving, it's crucial for users to stay informed and take proactive cybersecurity measures. Whether it's being cautious with document downloads or adopting strong security practices, everyone plays a part in protecting digital environments from the constant threat of cyber attacks.


bottom of page