TA444

Threat Actor updated 4 months ago (2024-05-05T07:17:37.841Z)

Download STIX

Preview STIX

TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other DPRK-sponsored threats. In recent times, TA444 has been particularly active, creating new MacOS malware families at a rapid pace. One of the latest additions to their arsenal is "SpectralBlur," a custom tool targeting macOS users, which was debuted in August. This malware shows significant similarities with the KANDYKORN malware family (also known as SockRacket), previously attributed to the North Korea-linked Lazarus sub-group. Proofpoint researchers have highlighted the unique capabilities of TA444, especially in terms of malware creation. Post-exploitation backdoors like SpectralBlur and KandyKorn are areas where TA444 truly stands out, indicating an embedded or devoted malware development element within the operations of TA444. Further analysis led to the linking of SpectralBlur and KandyKorn to TA444, following the discovery of more samples and a phishing campaign that downloaded KandyKorn. Notably, TA444 often shares overlaps with its well-known cousin APT, the Lazarus Group. The cybersecurity industry and organizations such as the Apple device management company have recognized the threat posed by TA444. An advisory from CISA followed weeks after Proofpoint's revelation about this new DPRK cyber actor. Despite the various naming conventions, it is clear that TA444, under all its aliases, presents a significant threat to cybersecurity, particularly for macOS users. The group's continuous malware development and fast-paced operations underscore the importance of robust security measures and constant vigilance against such advanced persistent threats.

Description last updated: 2024-05-05T06:25:03.068Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Kandykorn	3	KandyKorn is a new strain of malware that has recently been identified as an emerging threat to the technology sector, particularly targeting blockchain engineers. The malicious software, which is designed to infiltrate and damage computer systems, often enters undetected through suspicious download
Lazarus Group	2	The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in several high-profile cyber attacks and exploitation activities. The group's objective often involves establishing a kernel read/write primitive, which allows them to gain high-level access to systems and
Bluenoroff	2	BlueNoroff, a threat actor closely associated with the notorious Lazarus Group, has been actively involved in malicious cyber activities primarily targeting financial institutions and cryptocurrency businesses. Known for its sophisticated attacks on banks, casinos, fintech companies, POST software,

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Macos

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Sockracket	Unspecified	2	None
Spectralblur	Unspecified	2	SpectralBlur is a newly detected malware, identified as a macOS backdoor, that has been making headlines since the start of 2024. It was first spotted by cybersecurity experts who have tentatively attributed its creation and deployment to the Bluenoroff group. This malicious software, like others of

Source Document References

Information about the TA444 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
Securityaffairs	8 months ago	Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
DARKReading	8 months ago	North Korea Debuts 'SpectralBlur' Malware Amid macOS Onslaught
CERT-EU	10 months ago	N. Korea's BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware
CERT-EU	2 years ago	US Warns Critical Sectors Against North Korean Ransomware Attacks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security
CERT-EU	a year ago	Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware
DARKReading	2 years ago	North Korea's Top APT Swindled $1B From Crypto Investors in 2022