Kandykorn

Malware updated 2 months ago (2024-09-10T03:18:13.540Z)
Download STIX
Preview STIX
KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a malicious ZIP archive containing a harmful Python script. This malware is part of a five-stage infection chain, where KandyKorn serves as the final payload. The attack culminates when another malware, SUGARLOADER, downloads KandyKorn and loads it into memory using a technique called reflective loading. Once loaded, KandyKorn exhibits several capabilities including information gathering, data exfiltration, and arbitrary command execution. This allows the attackers to gain access to sensitive information and control over the infected system, potentially causing significant damage or disruption. In response to the threat posed by KandyKorn and other types of malware like RustBucket, SmoothOperator, ObjCShellz, Fullhouse, POOLRAT, PondRAT, OdicLoader, Comebacker, and CollectionRAT, prevention and detection alerts have been implemented. These measures are designed to identify and neutralize the threat before it can cause harm, protecting systems from potential exploitation and data theft.
Description last updated: 2024-09-10T03:16:50.584Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Bluenoroff is a possible alias for Kandykorn. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securi
3
TA444 is a possible alias for Kandykorn. TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other
3
Spectralblur is a possible alias for Kandykorn. SpectralBlur is a newly detected malware, identified as a macOS backdoor, that has been making headlines since the start of 2024. It was first spotted by cybersecurity experts who have tentatively attributed its creation and deployment to the Bluenoroff group. This malicious software, like others of
3
Rustbucket is a possible alias for Kandykorn. RustBucket is a malicious software (malware) specifically targeting macOS systems, first reported in 2023 and attributed to the North Korea-linked threat actor group, BlueNoroff. This malware was initially uncovered in 2021 as part of the RustBucket campaign and has since evolved into multiple varia
2
Sockracket is a possible alias for Kandykorn.
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Macos
Malware
Python
Payload
Apt
Phishing
Implant
Backdoor
Encrypt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Objcshellz Malware is associated with Kandykorn. ObjCShellz is a lightweight malware written in Objective-C, known for its advanced obfuscation features. Discovered by Jamf Threat Labs in November 2023, this malware operates as a relatively simple backdoor, serving as a remote shell that allows an attacker to execute arbitrary commands. It's typicUnspecified
3
The Swiftloader Malware is associated with Kandykorn. SwiftLoader is a sophisticated malware that functions as a PDF viewer to lure unsuspecting victims. It was initially used in the RustBucket campaign, where it served as a second-stage malware, infecting systems through seemingly innocent downloads such as documents sent to targets. Notably, SwiftLoaUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with Kandykorn. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North KUnspecified
4
Source Document References
Information about the Kandykorn Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
2 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
9 months ago