AppleJeus

Malware updated 23 days ago (2024-11-29T13:43:46.183Z)
Download STIX
Preview STIX
AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency trading services. These versions include CoinGoTrade (Version 5), Dorusio (Version 6), Kupay Wallet (Version 4), Ants2Whale (Version 7), and JMT Trading (Version 2). The attribution to North Korea was made after researchers found overlapping code structure, identification function names, encryption keys, and similar execution flows with a previous AppleJeus backdoor. The Gleaming Pisces group has a history of targeting the software supply chain. In 2023, they successfully exploited a flaw in an obsolete trading software package, which led them to compromise a desktop phone application made by 3CX and used by multinational corporations including Toyota, Coca-Cola, and Air France. Volexity identified the hostname as an AppleJeus server in 2022, confirming that this domain was part of the AppleJeus campaign. In a 2021 report, CISA identified a macOS RAT dubbed prtspool, used as the final payload in one of the AppleJeus (CoinGoTrade) attack waves. Furthermore, researchers discovered significant similarities between the PondRAT malware and macOS malware used in a previous AppleJeus campaign, again linked to the Gleaming Pisces APT group. An additional AppleJeus-related macOS RAT sample was also found, previously attributed to be a part of the poisoned Python packages campaign.
Description last updated: 2024-11-01T03:02:55.723Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Gopuram is a possible alias for AppleJeus. Gopuram is a malicious software or malware that infiltrates systems to exploit and cause damage. It has been known to infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold
5
Citrine Sleet is a possible alias for AppleJeus. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybe
4
HIDDEN COBRA is a possible alias for AppleJeus. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's s
3
Unc4736 is a possible alias for AppleJeus. UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst
2
Celas Trade Pro is a possible alias for AppleJeus. Celas Trade Pro is a malicious software application posing as a cryptocurrency trading platform. It was developed by North Korean hackers, referred to as HIDDEN COBRA by the U.S. government, as part of a series of deceptive applications collectively known as the "AppleJeus" family of malware. These
2
Coingotrade is a possible alias for AppleJeus. CoinGoTrade is a malicious software (malware) disguised as a legitimate cryptocurrency wallet application. It installs itself in the /Applications/CoinGoTrade.app/Contents/MacOS/ folder and presents a fully functional wallet program to its victims. The malware was first brought to public attention o
2
Kupay Wallet is a possible alias for AppleJeus. Kupay Wallet is a form of malware, specifically part of the "AppleJeus" family of malicious cryptocurrency applications. This family, which includes Kupay Wallet among other programs like Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, CoinGoTrade, Dorusio, CryptoNeuro Trader, and Ants2Whale, ha
2
Poolrat is a possible alias for AppleJeus. POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspe
2
Gleaming Pisces is a possible alias for AppleJeus. Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the tr
2
Pondrat is a possible alias for AppleJeus. PondRAT is a type of malware, specifically a Remote Access Trojan (RAT) variant, that targets Linux and macOS systems. It was first identified in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign, according to a report by the Cybersecurity & Infr
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Apt
Macos
Korean
Kaspersky
3cx
Payload
Microsoft
Chrome
Zero Day
Celas Trade ...
Loader
Mandiant
Encryption
Linux
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with AppleJeus. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitatiUnspecified
3
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2024-7971 is associated with AppleJeus. Unspecified
2
Source Document References
Information about the AppleJeus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
2 months ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
Unit42
3 months ago
Unit42
3 months ago
DARKReading
4 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securelist
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago