Citrine Sleet

Threat Actor updated 7 days ago (2024-09-10T04:18:38.099Z)

Download STIX

Preview STIX

Citrine Sleet, also known as Gleaming Pisces, AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is a threat actor believed to be associated with North Korea's Reconnaissance General Bureau. This group has been implicated in a series of targeted cyberattacks against the cryptocurrency industry, using sophisticated techniques and malware like the AppleJeus Trojan to infiltrate systems. Microsoft first disclosed Citrine Sleet's activities in a blog post in December 2022, highlighting their association with the AppleJeus campaign. In August 2024, Microsoft reported that Citrine Sleet was exploiting a Chromium zero-day vulnerability, CVE-2024-7971, for financial gain. The group used this vulnerability to launch attacks on cryptocurrency companies, leveraging the exploit as part of a multi-step attack process that began with a deceptive website mimicking a cryptocurrency trading platform. Once inside the system, Citrine Sleet would escalate its privileges by deploying FudModule, a rootkit shared with another APT, Diamond Sleet. Despite the complexity of these attacks and the requirement for local access to targeted machines (reflected in a CVSS score of 7.0), Microsoft managed to patch the exploited vulnerability (CVE-2024-38106) within a week of discovering Citrine Sleet's activities. However, the threat actor remained persistent, chaining its Chromium RCE exploit to a second high-severity bug. Detection of such activities becomes challenging due to the level of access the attacker achieves, placing them on an even playing field with endpoint security tools or even giving them an upper hand.

Description last updated: 2024-09-10T03:18:12.365Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
AppleJeus	3	AppleJeus is a potent malware designed to infiltrate systems and steal cryptocurrency-related assets. It was first identified by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign. The
Fudmodule	3	FudModule is a sophisticated malware associated with North Korea-linked cyberespionage groups, Lazarus (also known as Citrine Sleet, AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra) and Diamond Sleet. This data-only rootkit executes entirely from user space, employing direct kernel object m
HIDDEN COBRA	2	Hidden Cobra, also known as Lazarus Group, TEMP.Hermit, and several other names, is a threat actor attributed to the North Korean government by the U.S. Government. The group has been involved in various malicious cyber activities, including cyberespionage, ransomware attacks, and destructive operat

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Chrome

Vulnerability

Malware

Chromium

Microsoft

Rootkit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Diamond Sleet	Unspecified	2	Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2024-7971	Unspecified	2	None

Source Document References

Information about the Citrine Sleet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	7 days ago	Threat Assessment: North Korean Threat Groups
DARKReading	13 days ago	North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
BankInfoSecurity	14 days ago	North Korean Hackers Tied to Exploits of Chromium Zero-Day
Securityaffairs	15 days ago	Security Affairs newsletter Round 487 by Pierluigi Paganini – INTERNATIONAL EDITION