Swiftloader

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
SwiftLoader is a sophisticated malware that functions as a PDF viewer to lure unsuspecting victims. It was initially used in the RustBucket campaign, where it served as a second-stage malware, infecting systems through seemingly innocent downloads such as documents sent to targets. Notably, SwiftLoader has been observed to run on both Intel and Apple Silicon hardware, demonstrating its broad reach and potential for damage. The malware operates by retrieving and executing further stage malware written in Rust while victims view the lure document. There are intriguing overlaps between SwiftLoader and the KandyKorn operation, suggesting a connection. Our research indicates that SwiftLoader droppers have been used to deliver KandyKorn payloads, revealing a trend among DPRK threat actors of 'mixing and matching' components from these operations. Furthermore, we've identified shared infrastructure between ObjCShellz payloads and SwiftLoader stagers, suggesting that ObjCShellz is likely a later stage of the SwiftLoader SecurePDF Viewer.app. Several versions of SwiftLoader have been detected in the wild, including one distributed under the guise of a file named "Crypto-assets and their risks for financial stability.app.zip". This particular variant had multiple elements linking it to the KandyKorn operation. These findings underscore the evolving nature of cyber threats and the need for continuous vigilance and robust cybersecurity measures to protect against such harmful software.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Rustbucket
2
RustBucket is a malicious software (malware) campaign that was first uncovered in 2021 and attributed to BlueNoroff, a North Korea-linked Advanced Persistent Threat (APT) group. The malware is known for its ability to exploit and damage computer systems, often infiltrating through suspicious downloa
Objcshellz
2
ObjCShellz is a lightweight but advanced malware written in Objective-C, identified by researchers from Jamf Threat Labs in November 2023. This malicious software is designed to infiltrate macOS systems and enable remote execution of commands by attackers. It is characterized by its advanced obfusca
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Malware
Dropper
Sentinelone
Loader
Rat
Macos
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KandykornUnspecified
2
KandyKorn is a new strain of malware that has recently been identified as an emerging threat to the technology sector, particularly targeting blockchain engineers. The malicious software, which is designed to infiltrate and damage computer systems, often enters undetected through suspicious download
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Swiftloader Securepdf viewer.appUnspecified
2
None
Source Document References
Information about the Swiftloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads
CERT-EU
8 months ago
DPRK hackers take aim at macOS by blending malware
DARKReading
8 months ago
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks
CERT-EU
8 months ago
North Korean Hackers Now Merging macOS Malware Strains
CERT-EU
8 months ago
North Korean hackers evolve their techniques by mixing malware from previous campaigns