AppleJeus

Malware updated 4 days ago (2024-09-10T03:18:15.900Z)
Download STIX
Preview STIX
AppleJeus is a potent malware designed to infiltrate systems and steal cryptocurrency-related assets. It was first identified by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign. The malware has evolved over time, with versions such as AppleJeus Version 2: JMT Trading, Version 4: Kupay Wallet, Version 5: CoinGoTrade, Version 6: Dorusio, and Version 7: Ants2Whale. The malware can infect a system through deceptive tactics like fake job openings or by tricking victims into downloading a counterfeit crypto wallet or trading app laced with the AppleJeus Trojan. The malware is associated with the North Korea-linked group Citrine Sleet (also known as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra), which targets the cryptocurrency industry for financial gain. This entity within Bureau 121 of North Korea's Reconnaissance General Bureau uses sophisticated techniques to breach security systems. For instance, it exploited the Google Chrome zero-day vulnerability CVE-2024-7971 to deploy the FudModule rootkit, as reported by Microsoft. Moreover, Citrine Sleet typically deploys its AppleJeus Trojan after gaining access to a targeted system. AppleJeus represents a significant threat to the global financial sector, particularly the burgeoning cryptocurrency industry. North Korean threat groups have reportedly stolen $2.3 billion USD between May 2017 and May 2023, with AppleJeus being a key tool in these thefts. Japan has been notably affected, accounting for 30% of the total amount stolen. Given its evolving nature and the considerable financial damage it has caused, robust cybersecurity measures are crucial to combat this malware.
Description last updated: 2024-09-10T03:16:37.923Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gopuram
5
Gopuram is a malicious software or malware that infiltrates systems to exploit and cause damage. It has been known to infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold
HIDDEN COBRA
3
Hidden Cobra, also known as Lazarus Group, TEMP.Hermit, and several other names, is a threat actor attributed to the North Korean government by the U.S. Government. The group has been involved in various malicious cyber activities, including cyberespionage, ransomware attacks, and destructive operat
Citrine Sleet
3
Citrine Sleet, also known as Gleaming Pisces, AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is a threat actor believed to be associated with North Korea's Reconnaissance General Bureau. This group has been implicated in a series of targeted cyberattacks against the cryptocurrency industr
Unc4736
2
UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst
Celas Trade Pro
2
Celas Trade Pro is a malicious software application posing as a cryptocurrency trading platform. It was developed by North Korean hackers, referred to as HIDDEN COBRA by the U.S. government, as part of a series of deceptive applications collectively known as the "AppleJeus" family of malware. These
Coingotrade
2
CoinGoTrade is a malicious software (malware) disguised as a legitimate cryptocurrency wallet application. It installs itself in the /Applications/CoinGoTrade.app/Contents/MacOS/ folder and presents a fully functional wallet program to its victims. The malware was first brought to public attention o
Kupay Wallet
2
Kupay Wallet is a malicious software (malware) identified as part of the AppleJeus family, a series of North Korean malicious cryptocurrency applications. This malware was first reported by CISA as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign in 202
Poolrat
2
POOLRAT is a malicious software, or malware, that serves as a backdoor into macOS and Linux systems. It was first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021, under the guise of a file named 'prtspool', which was likely the final payload in an AppleJeus attack. Th
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Apt
Macos
Korean
Kaspersky
3cx
Payload
Microsoft
Zero Day
Celas Trade ...
Linux
Chrome
Mandiant
Loader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
3
The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2024-7971Unspecified
2
None
Source Document References
Information about the AppleJeus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
4 days ago
Threat Assessment: North Korean Threat Groups
DARKReading
10 days ago
North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
BankInfoSecurity
11 days ago
North Korean Hackers Tied to Exploits of Chromium Zero-Day
Securityaffairs
13 days ago
North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit - Security Affairs
CERT-EU
9 months ago
Ransomware Dwell Time Hits Low of 24 Hours | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
10 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of cryptocurrency exchanges and financial service companies
CERT-EU
10 months ago
Advanced threat predictions for 2024 – GIXtools
Securelist
10 months ago
Kaspersky Security Bulletin: APT predictions 2024
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of cryptocurrency exchanges and financial service companies
CERT-EU
a year ago
North Korean Hackers Continue to Refine Their Arsenal of Tactics & Techniques
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU
a year ago
Cybercriminals can go from click to compromise in less than a day | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of users of cryptocurrency applications
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU
a year ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
a year ago
IT threat evolution Q2 2023
Securityaffairs
a year ago
FBI identifies wallets holding cryptocurrency funds stolen by North Korea
CERT-EU
a year ago
FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers 
CERT-EU
a year ago
APT trends report Q2 2023 – GIXtools
Securelist
a year ago
APT trends report Q2 2023