TA444

Threat Actor updated 23 days ago (2024-11-29T13:33:48.191Z)
Download STIX
Preview STIX
TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other DPRK-sponsored threats. In recent times, TA444 has been particularly active, creating new MacOS malware families at a rapid pace. One of the latest additions to their arsenal is "SpectralBlur," a custom tool targeting macOS users, which was debuted in August. This malware shows significant similarities with the KANDYKORN malware family (also known as SockRacket), previously attributed to the North Korea-linked Lazarus sub-group. Proofpoint researchers have highlighted the unique capabilities of TA444, especially in terms of malware creation. Post-exploitation backdoors like SpectralBlur and KandyKorn are areas where TA444 truly stands out, indicating an embedded or devoted malware development element within the operations of TA444. Further analysis led to the linking of SpectralBlur and KandyKorn to TA444, following the discovery of more samples and a phishing campaign that downloaded KandyKorn. Notably, TA444 often shares overlaps with its well-known cousin APT, the Lazarus Group. The cybersecurity industry and organizations such as the Apple device management company have recognized the threat posed by TA444. An advisory from CISA followed weeks after Proofpoint's revelation about this new DPRK cyber actor. Despite the various naming conventions, it is clear that TA444, under all its aliases, presents a significant threat to cybersecurity, particularly for macOS users. The group's continuous malware development and fast-paced operations underscore the importance of robust security measures and constant vigilance against such advanced persistent threats.
Description last updated: 2024-05-05T06:25:03.068Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Kandykorn is a possible alias for TA444. KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a
3
Lazarus Group is a possible alias for TA444. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati
2
Bluenoroff is a possible alias for TA444. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Macos
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The malware Sockracket is associated with TA444. Unspecified
2
The Spectralblur Malware is associated with TA444. SpectralBlur is a newly detected malware, identified as a macOS backdoor, that has been making headlines since the start of 2024. It was first spotted by cybersecurity experts who have tentatively attributed its creation and deployment to the Bluenoroff group. This malicious software, like others ofUnspecified
2