Citrine Sleet

Threat Actor updated a month ago (2024-11-29T13:55:37.841Z)
Download STIX
Preview STIX
Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cyber-attacks on the cryptocurrency industry and are known for their use of the macOS remote administration tool POOLRAT. Citrine Sleet has also been associated with several aliases such as Labyrinth Chollima, UNC4736, and Hidden Cobra, further complicating tracking efforts. In 2024, Citrine Sleet exploited the Chromium zero-day vulnerability, CVE-2024-38106, directing targets to their controlled exploit domain voyagorclub[.]space. Despite initial reports linking this exploit activity to the aforementioned CVE, investigations have not found any direct link beyond exploiting the same vulnerability. The group used typical stages seen in browser exploit chains to carry out this zero-day exploit attack. They also exploited another Google Chrome zero-day, CVE-2024-7971, deploying the FudModule rootkit. Citrine Sleet's activities pose significant risks, particularly to the cryptocurrency industry, given their focus on this sector and their use of sophisticated techniques such as exploiting zero-day vulnerabilities. Despite the patching of the exploited vulnerabilities, the group's evolving tactics and persistent attacks underscore the need for robust cybersecurity measures, including regular software updates, comprehensive threat intelligence, and proactive defense strategies.
Description last updated: 2024-10-17T12:11:40.653Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
AppleJeus is a possible alias for Citrine Sleet. AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency tradi
4
Gleaming Pisces is a possible alias for Citrine Sleet. Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the tr
3
Fudmodule is a possible alias for Citrine Sleet. FudModule is a sophisticated malware that has been associated with various North Korean hacking campaigns since October 2021. It uses direct kernel object manipulation (DKOM) techniques to bypass kernel security checks and has seen significant improvements since its initial discovery three years ago
3
HIDDEN COBRA is a possible alias for Citrine Sleet. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's s
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Vulnerability
Malware
Chromium
Linux
Tool
Rootkit
Macos
Apt
Chrome
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Poolrat Malware is associated with Citrine Sleet. POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspeUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Diamond Sleet Threat Actor is associated with Citrine Sleet. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supplyUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2024-7971 is associated with Citrine Sleet. Unspecified
2
The vulnerability CVE-2024-38106 is associated with Citrine Sleet. Unspecified
2