AppleJeus

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
AppleJeus is a notorious malware attributed to the North Korean APT Lazarus Group, designed primarily to steal cryptocurrency. This malicious software has been a key instrument in North Korea's financial theft operations, with threat groups pilfering $2.3 billion USD worth of crypto assets between May 2017 and May 2023, according to Elliptic; remarkably, 30% of this sum was stolen from Japan. The malware infects systems via booby-trapped cryptocurrency trading applications like CoinGoTrade, Kupay Wallet, JMT Trading, Dorusio, and Ants2Whale, among others, and has victimized individuals in over thirty countries as of 2020. The deployment strategy for AppleJeus involves disseminating these compromised trading applications, which then infiltrate the user's system and facilitate cryptocurrency theft. Notably, there's an overlap in tools used by AppleJeus (also known as UNC1720) and TEMP. Hermit, suggesting potential shared resources between the two. Furthermore, the threat actor behind AppleJeus previously utilized an older version of POOLRAT in a long-running campaign to spread these rigged applications, further solidifying its connection to this malware. In an alarming revelation, investigations have uncovered that the infamous Gopuram backdoor, deployed through the 3CX supply chain attack affecting victims worldwide, was found to coexist on victim machines alongside AppleJeus. This suggests a high level of sophistication and potentially increased risk for victims, as they face multiple threats simultaneously. The presence of both these backdoors indicates a complex and layered cyberattack strategy employed by the perpetrators.
What's your take? (Question 1 of 5)
0db275b0-b93b-4d65-bc06-1a39fccaba1d Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gopuram
5
Gopuram is a malicious software or malware that infiltrates systems to exploit and cause damage. It has been known to infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold
Coingotrade
2
CoinGoTrade is a malicious software (malware) disguised as a legitimate cryptocurrency wallet application. It installs itself in the /Applications/CoinGoTrade.app/Contents/MacOS/ folder and presents a fully functional wallet program to its victims. The malware was first brought to public attention o
Unc4736
2
UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst
Celas Trade Pro
2
Celas Trade Pro is a malicious software application posing as a cryptocurrency trading platform. It was developed by North Korean hackers, referred to as HIDDEN COBRA by the U.S. government, as part of a series of deceptive applications collectively known as the "AppleJeus" family of malware. These
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Korean
Apt
Kaspersky
3cx
Loader
Macos
Mandiant
Payload
Celas Trade ...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
3
The Lazarus Group, also known as Diamond Sleet, is a notorious threat actor attributed to numerous cyber-attacks and illicit activities. This group is associated with North Korea and has been implicated in several high-profile incidents, including Operation DreamJob in Spain, which was attributed to
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the AppleJeus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
AppleJeus: Analysis of North Korea’s Cryptocurrency Malware | CISA
ESET
a year ago
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity
Securelist
a year ago
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
MITRE
a year ago
APT trends report Q1 2020
MITRE
a year ago
Lazarus’ MacOS Dacls RAT Shows Multi-Platform Ability
Securityaffairs
a year ago
3CX Supply chain attack allowed targeting cryptocurrency firms
MITRE
a year ago
Four Distinct Families of Lazarus Malware Target Apple's macOS Platform
CERT-EU
a year ago
安全事件周报 2023-04-03 第14周 - 360CERT
CERT-EU
a year ago
Des entreprises de crypto-monnaies ciblées par le malware Gopuram via l’attaque 3CX | UnderNews
CERT-EU
a year ago
Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App
CERT-EU
a year ago
3CX hack highlights risk of cascading software supply-chain compromises
BankInfoSecurity
a year ago
North Korean Hackers Chained Supply Chain Hacks to Reach 3CX
CERT-EU
a year ago
Massive 3CX Supply-Chain Hack Targeted Cryptocurrency Firms
CERT-EU
8 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of users of cryptocurrency applications
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
MITRE
a year ago
Three North Korean Military Hackers Indicted in Wide-Ranging Scheme
CSO Online
a year ago
55 zero-day flaws exploited last year show the importance of security risk management
CERT-EU
a year ago
Une dangereuse appli menace des millions d'employés à travers le monde
CERT-EU
a year ago
Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server