Swiftloader

Malware updated 7 months ago (2024-05-04T18:14:50.586Z)
Download STIX
Preview STIX
SwiftLoader is a sophisticated malware that functions as a PDF viewer to lure unsuspecting victims. It was initially used in the RustBucket campaign, where it served as a second-stage malware, infecting systems through seemingly innocent downloads such as documents sent to targets. Notably, SwiftLoader has been observed to run on both Intel and Apple Silicon hardware, demonstrating its broad reach and potential for damage. The malware operates by retrieving and executing further stage malware written in Rust while victims view the lure document. There are intriguing overlaps between SwiftLoader and the KandyKorn operation, suggesting a connection. Our research indicates that SwiftLoader droppers have been used to deliver KandyKorn payloads, revealing a trend among DPRK threat actors of 'mixing and matching' components from these operations. Furthermore, we've identified shared infrastructure between ObjCShellz payloads and SwiftLoader stagers, suggesting that ObjCShellz is likely a later stage of the SwiftLoader SecurePDF Viewer.app. Several versions of SwiftLoader have been detected in the wild, including one distributed under the guise of a file named "Crypto-assets and their risks for financial stability.app.zip". This particular variant had multiple elements linking it to the KandyKorn operation. These findings underscore the evolving nature of cyber threats and the need for continuous vigilance and robust cybersecurity measures to protect against such harmful software.
Description last updated: 2024-05-04T17:15:47.116Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Rustbucket is a possible alias for Swiftloader. RustBucket is a malicious software (malware) specifically targeting macOS systems, first reported in 2023 and attributed to the North Korea-linked threat actor group, BlueNoroff. This malware was initially uncovered in 2021 as part of the RustBucket campaign and has since evolved into multiple varia
2
Objcshellz is a possible alias for Swiftloader. ObjCShellz is a lightweight malware written in Objective-C, known for its advanced obfuscation features. Discovered by Jamf Threat Labs in November 2023, this malware operates as a relatively simple backdoor, serving as a remote shell that allows an attacker to execute arbitrary commands. It's typic
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kandykorn Malware is associated with Swiftloader. KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability Swiftloader Securepdf viewer.app is associated with Swiftloader. Unspecified
2
Source Document References
Information about the Swiftloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more