In a recent revelation, Elastic Security Labs has uncovered a sophisticated cyber intrusion by North Korean hackers believed to be associated with the Lazarus group.

This incident, tracked as REF7001, involved the use of a new macOS malware named Kandykorn, which has been specifically designed to target blockchain engineers involved in cryptocurrency exchange platforms.

North Korean Hackers Target Crypto Engineers with Discord-Distributed Malware

Elastic Security Labs has exposed a sophisticated cyber intrusion by North Korean hackers believed to be associated with the notorious Lazarus Group. This incident, which targeted blockchain engineers involved in cryptocurrency exchange platforms, utilized a deceptive Python program masquerading as a cryptocurrency arbitrage bot.

What sets this attack apart is its distribution method: the attackers distributed the malware through a private message on a public Discord server, which is atypical of macOS intrusion tactics.

“The victim believed they were installing an arbitrage bot, a software tool capable of profiting from cryptocurrency rate differences between platforms,” explained the researchers at Elastic Security Labs.

After installation, the Kandykorn malware initiates communication with a command-and-control (C2) server, utilizing encrypted RC4 and implementing a distinct handshake mechanism. Instead of actively polling for commands, it patiently awaits them. This sophisticated method enables hackers to retain control over the compromised systems discreetly.

Kandykorn Malware Tactics Reveal Ties to Lazarus Group

Elastic Security Labs has provided valuable insights into the capabilities of Kandykorn, showcasing its proficiency in performing file upload and download, process manipulation, and execution of arbitrary system commands. Of particular concern is its utilization of reflective binary loading, a fileless execution technique associated with the notorious Lazarus Group. The Lazarus Group is