AppleJeus

Malware updated 14 hours ago (2024-10-17T13:02:29.168Z)

Download STIX

Preview STIX

AppleJeus is a notorious malware attributed to the North Korean hacker group, also known as Citrine Sleet. This group gained notoriety by distributing versions of AppleJeus malware primarily targeting cryptocurrency traders. The malware has evolved over time, with multiple versions being identified, including CoinGoTrade (Version 5), Dorusio (Version 6), Kupay Wallet (Version 4), Ants2Whale (Version 7), and JMT Trading (Version 2). In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) reported on an AppleJeus attack wave called Kupay Wallet and identified a macOS Remote Access Trojan (RAT) dubbed prtspool used in one of the AppleJeus (CoinGoTrade) attack waves. The attribution to North Korea was made after researchers found overlapping code structures, identification function names, encryption keys, and similar execution flows with a previous AppleJeus backdoor. In 2022, Volexity identified a hostname as part of the AppleJeus campaign. Furthermore, researchers discovered that the PondRAT malware shares significant similarities with macOS malware used in a previous AppleJeus campaign attributed to the Gleaming Pisces APT group. An additional AppleJeus-related macOS RAT was found in a macOS sample previously attributed to be part of the poisoned Python packages campaign. In 2023, the Pyongyang AppleJeus hackers achieved notable success by exploiting the software supply chain. They inserted a flaw into an obsolete trading software package, which led them to compromise a desktop phone application made by 3CX and used by multinational corporations including Toyota, Coca-Cola, and Air France. This incident highlighted the group's ability to infiltrate and disrupt major corporate systems, underscoring the persistent threat posed by such malicious actors and the importance of robust cybersecurity measures.

Description last updated: 2024-10-17T12:11:39.236Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Gopuram is a possible alias for AppleJeus. Gopuram is a malicious software or malware that infiltrates systems to exploit and cause damage. It has been known to infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold	5
Citrine Sleet is a possible alias for AppleJeus. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybe	4
HIDDEN COBRA is a possible alias for AppleJeus. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's s	3
Unc4736 is a possible alias for AppleJeus. UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst	2
Celas Trade Pro is a possible alias for AppleJeus. Celas Trade Pro is a malicious software application posing as a cryptocurrency trading platform. It was developed by North Korean hackers, referred to as HIDDEN COBRA by the U.S. government, as part of a series of deceptive applications collectively known as the "AppleJeus" family of malware. These	2
Coingotrade is a possible alias for AppleJeus. CoinGoTrade is a malicious software (malware) disguised as a legitimate cryptocurrency wallet application. It installs itself in the /Applications/CoinGoTrade.app/Contents/MacOS/ folder and presents a fully functional wallet program to its victims. The malware was first brought to public attention o	2
Kupay Wallet is a possible alias for AppleJeus. Kupay Wallet is a form of malware, specifically part of the "AppleJeus" family of malicious cryptocurrency applications. This family, which includes Kupay Wallet among other programs like Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, CoinGoTrade, Dorusio, CryptoNeuro Trader, and Ants2Whale, ha	2
Poolrat is a possible alias for AppleJeus. POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspe	2
Gleaming Pisces is a possible alias for AppleJeus. Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the tr	2
Pondrat is a possible alias for AppleJeus. PondRAT is a type of malware, specifically a Remote Access Trojan (RAT) variant, that targets Linux and macOS systems. It was first identified in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign, according to a report by the Cybersecurity & Infr	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Macos

Apt

Korean

Kaspersky

3cx

Payload

Microsoft

Chrome

Zero Day

Celas Trade ...

Loader

Mandiant

Encryption

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with AppleJeus. The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over th	Unspecified	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2024-7971 is associated with AppleJeus.	Unspecified	2

Source Document References

Information about the AppleJeus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	24 days ago	North Korea Targets Software Supply Chain Via PyPI
Securityaffairs	24 days ago	North Korea-linked APT Gleaming Pisces deliver new PondRAT backdoor via malicious Python packages
Unit42	a month ago	Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Unit42	a month ago	Threat Assessment: North Korean Threat Groups
DARKReading	a month ago	North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
BankInfoSecurity	a month ago	North Korean Hackers Tied to Exploits of Chromium Zero-Day
Securityaffairs	2 months ago	North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit - Security Affairs
CERT-EU	10 months ago	Ransomware Dwell Time Hits Low of 24 Hours \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of cryptocurrency exchanges and financial service companies
CERT-EU	a year ago	Advanced threat predictions for 2024 – GIXtools
Securelist	a year ago	Kaspersky Security Bulletin: APT predictions 2024
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of cryptocurrency exchanges and financial service companies
CERT-EU	a year ago	North Korean Hackers Continue to Refine Their Arsenal of Tactics & Techniques
CERT-EU	a year ago	N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU	a year ago	Cybercriminals can go from click to compromise in less than a day \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of users of cryptocurrency applications
CERT-EU	a year ago	N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
Securityaffairs	a year ago	FBI identifies wallets holding cryptocurrency funds stolen by North Korea