TA444

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other DPRK-sponsored threats. In recent times, TA444 has been particularly active, creating new MacOS malware families at a rapid pace. One of the latest additions to their arsenal is "SpectralBlur," a custom tool targeting macOS users, which was debuted in August. This malware shows significant similarities with the KANDYKORN malware family (also known as SockRacket), previously attributed to the North Korea-linked Lazarus sub-group. Proofpoint researchers have highlighted the unique capabilities of TA444, especially in terms of malware creation. Post-exploitation backdoors like SpectralBlur and KandyKorn are areas where TA444 truly stands out, indicating an embedded or devoted malware development element within the operations of TA444. Further analysis led to the linking of SpectralBlur and KandyKorn to TA444, following the discovery of more samples and a phishing campaign that downloaded KandyKorn. Notably, TA444 often shares overlaps with its well-known cousin APT, the Lazarus Group. The cybersecurity industry and organizations such as the Apple device management company have recognized the threat posed by TA444. An advisory from CISA followed weeks after Proofpoint's revelation about this new DPRK cyber actor. Despite the various naming conventions, it is clear that TA444, under all its aliases, presents a significant threat to cybersecurity, particularly for macOS users. The group's continuous malware development and fast-paced operations underscore the importance of robust security measures and constant vigilance against such advanced persistent threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Kandykorn
3
KandyKorn is a new strain of malware that has recently been identified as an emerging threat to the technology sector, particularly targeting blockchain engineers. The malicious software, which is designed to infiltrate and damage computer systems, often enters undetected through suspicious download
Lazarus Group
2
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Bluenoroff
2
BlueNoroff, a threat actor closely associated with the notorious Lazarus Group, has been actively involved in malicious cyber activities primarily targeting financial institutions and cryptocurrency businesses. Known for its sophisticated attacks on banks, casinos, fintech companies, POST software,
APT38
1
APT38, also known as TA444, BlueNoroff, BlackAlicanto, Coperenicum, Sapphire Sleet, Stardust Chollima, and TraderTraitor, is a threat actor group suspected to be backed by the North Korean regime. The group has been active in operations across over 16 organizations in at least 11 countries, primaril
Stardust Chollima
1
Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
Sapphire Sleet
1
Sapphire Sleet is a threat actor, or malicious entity, that is linked to North Korea. This group has been identified as an Advanced Persistent Threat (APT), known for executing sophisticated and continuous cyberattacks. Sapphire Sleet has been particularly active in targeting IT job seekers through
Copernicium
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Macos
Backdoor
Whatsapp
Cybercrime
CISA
Dprk
Apt
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SpectralblurUnspecified
2
SpectralBlur is a new form of malware that has emerged as a significant cybersecurity threat in 2024. It is characterized as a backdoor Trojan targeting macOS systems, allowing unauthorized access and control over infected devices. This malicious software is capable of exploiting and damaging the us
SockracketUnspecified
2
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TA444 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
Securityaffairs
7 months ago
Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
DARKReading
7 months ago
North Korea Debuts 'SpectralBlur' Malware Amid macOS Onslaught
CERT-EU
9 months ago
N. Korea's BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware
CERT-EU
a year ago
US Warns Critical Sectors Against North Korean Ransomware Attacks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CERT-EU
a year ago
Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware
DARKReading
a year ago
North Korea's Top APT Swindled $1B From Crypto Investors in 2022