TA444

Threat Actor updated 6 months ago (2024-05-05T07:17:37.841Z)

Download STIX

Preview STIX

TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other DPRK-sponsored threats. In recent times, TA444 has been particularly active, creating new MacOS malware families at a rapid pace. One of the latest additions to their arsenal is "SpectralBlur," a custom tool targeting macOS users, which was debuted in August. This malware shows significant similarities with the KANDYKORN malware family (also known as SockRacket), previously attributed to the North Korea-linked Lazarus sub-group. Proofpoint researchers have highlighted the unique capabilities of TA444, especially in terms of malware creation. Post-exploitation backdoors like SpectralBlur and KandyKorn are areas where TA444 truly stands out, indicating an embedded or devoted malware development element within the operations of TA444. Further analysis led to the linking of SpectralBlur and KandyKorn to TA444, following the discovery of more samples and a phishing campaign that downloaded KandyKorn. Notably, TA444 often shares overlaps with its well-known cousin APT, the Lazarus Group. The cybersecurity industry and organizations such as the Apple device management company have recognized the threat posed by TA444. An advisory from CISA followed weeks after Proofpoint's revelation about this new DPRK cyber actor. Despite the various naming conventions, it is clear that TA444, under all its aliases, presents a significant threat to cybersecurity, particularly for macOS users. The group's continuous malware development and fast-paced operations underscore the importance of robust security measures and constant vigilance against such advanced persistent threats.

Description last updated: 2024-05-05T06:25:03.068Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Kandykorn is a possible alias for TA444. KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a	3
Lazarus Group is a possible alias for TA444. The Lazarus Group, also known as Hidden Cobra and Guardians of Peace, is a notorious threat actor attributed to North Korea. Their activities date back several years, with significant exploits including the "FASTCash" ATM cash-out scheme warned about by the US-CERT in October 2018. More recently, th	2
Bluenoroff is a possible alias for TA444. BlueNoroff, a financially motivated threat actor closely associated with the Lazarus group, is a Korean-speaking entity known for targeting banks, casinos, fintech companies, POST software, cryptocurrency businesses, and ATMs. According to Kaspersky Labs, this subgroup of the Lazarus hacking group h	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Macos

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The malware Sockracket is associated with TA444.	Unspecified	2
The Spectralblur Malware is associated with TA444. SpectralBlur is a newly detected malware, identified as a macOS backdoor, that has been making headlines since the start of 2024. It was first spotted by cybersecurity experts who have tentatively attributed its creation and deployment to the Bluenoroff group. This malicious software, like others of	Unspecified	2

Source Document References

Information about the TA444 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
Securityaffairs	10 months ago	Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
DARKReading	10 months ago	North Korea Debuts 'SpectralBlur' Malware Amid macOS Onslaught
CERT-EU	a year ago	N. Korea's BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware
CERT-EU	2 years ago	US Warns Critical Sectors Against North Korean Ransomware Attacks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security
CERT-EU	a year ago	Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware
DARKReading	2 years ago	North Korea's Top APT Swindled $1B From Crypto Investors in 2022