AppleJeus

Malware updated 13 days ago (2024-11-08T12:45:04.043Z)

Download STIX

Preview STIX

AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency trading services. These versions include CoinGoTrade (Version 5), Dorusio (Version 6), Kupay Wallet (Version 4), Ants2Whale (Version 7), and JMT Trading (Version 2). The attribution to North Korea was made after researchers found overlapping code structure, identification function names, encryption keys, and similar execution flows with a previous AppleJeus backdoor. The Gleaming Pisces group has a history of targeting the software supply chain. In 2023, they successfully exploited a flaw in an obsolete trading software package, which led them to compromise a desktop phone application made by 3CX and used by multinational corporations including Toyota, Coca-Cola, and Air France. Volexity identified the hostname as an AppleJeus server in 2022, confirming that this domain was part of the AppleJeus campaign. In a 2021 report, CISA identified a macOS RAT dubbed prtspool, used as the final payload in one of the AppleJeus (CoinGoTrade) attack waves. Furthermore, researchers discovered significant similarities between the PondRAT malware and macOS malware used in a previous AppleJeus campaign, again linked to the Gleaming Pisces APT group. An additional AppleJeus-related macOS RAT sample was also found, previously attributed to be a part of the poisoned Python packages campaign.

Description last updated: 2024-11-01T03:02:55.723Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Gopuram is a possible alias for AppleJeus. Gopuram is a malicious software or malware that infiltrates systems to exploit and cause damage. It has been known to infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold	5
Citrine Sleet is a possible alias for AppleJeus. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybe	4
HIDDEN COBRA is a possible alias for AppleJeus. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's s	3
Unc4736 is a possible alias for AppleJeus. UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst	2
Celas Trade Pro is a possible alias for AppleJeus. Celas Trade Pro is a malicious software application posing as a cryptocurrency trading platform. It was developed by North Korean hackers, referred to as HIDDEN COBRA by the U.S. government, as part of a series of deceptive applications collectively known as the "AppleJeus" family of malware. These	2
Coingotrade is a possible alias for AppleJeus. CoinGoTrade is a malicious software (malware) disguised as a legitimate cryptocurrency wallet application. It installs itself in the /Applications/CoinGoTrade.app/Contents/MacOS/ folder and presents a fully functional wallet program to its victims. The malware was first brought to public attention o	2
Kupay Wallet is a possible alias for AppleJeus. Kupay Wallet is a form of malware, specifically part of the "AppleJeus" family of malicious cryptocurrency applications. This family, which includes Kupay Wallet among other programs like Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, CoinGoTrade, Dorusio, CryptoNeuro Trader, and Ants2Whale, ha	2
Poolrat is a possible alias for AppleJeus. POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspe	2
Gleaming Pisces is a possible alias for AppleJeus. Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the tr	2
Pondrat is a possible alias for AppleJeus. PondRAT is a type of malware, specifically a Remote Access Trojan (RAT) variant, that targets Linux and macOS systems. It was first identified in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign, according to a report by the Cybersecurity & Infr	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Apt

Macos

Korean

Kaspersky

3cx

Payload

Microsoft

Chrome

Zero Day

Celas Trade ...

Loader

Mandiant

Encryption

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with AppleJeus. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	Unspecified	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2024-7971 is associated with AppleJeus.	Unspecified	2

Source Document References

Information about the AppleJeus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	21 days ago	Mac Malware Threat: Hackers Seek Cryptocurrency Holders
BankInfoSecurity	2 months ago	North Korea Targets Software Supply Chain Via PyPI
Securityaffairs	2 months ago	North Korea-linked APT Gleaming Pisces deliver new PondRAT backdoor via malicious Python packages
Unit42	2 months ago	Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
DARKReading	3 months ago	North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
BankInfoSecurity	3 months ago	North Korean Hackers Tied to Exploits of Chromium Zero-Day
Securityaffairs	3 months ago	North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit - Security Affairs
CERT-EU	a year ago	Ransomware Dwell Time Hits Low of 24 Hours \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of cryptocurrency exchanges and financial service companies
CERT-EU	a year ago	Advanced threat predictions for 2024 – GIXtools
Securelist	a year ago	Kaspersky Security Bulletin: APT predictions 2024
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of cryptocurrency exchanges and financial service companies
CERT-EU	a year ago	North Korean Hackers Continue to Refine Their Arsenal of Tactics & Techniques
CERT-EU	2 years ago	N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU	a year ago	Cybercriminals can go from click to compromise in less than a day \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of users of cryptocurrency applications
CERT-EU	2 years ago	N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023