North Korea targets blockchain engineers with new macOS malware

Hackers are now distributing a Python app posing as a crypto arbitrage bot via a direct message on a public Discord server.

The infamous North Korean hack group Lazarus Group now targets macOS blockchain engineers on Discord with a novel malware.

According to cybersecurity firm Elastic Security Labs, the hackers have started distributing a Python-based application pretending to be a crypto arbitrage bot via direct messages on Discord servers.

The analysts say the so-called Kandykorn malware is being distributed by North Korea given the “techniques, network infrastructure, code-signing certificates, and custom Lazarus Group detection rules.”

“The DPRK, via units like the LAZARUS GROUP, continues to target crypto-industry businesses with the goal of stealing cryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions.”

Elastic Security Labs

The bad actors are reportedly trying to convince victims to download and decompress a ZIP archive containing malware in the form of an arbitrage bot. Once the malware has been installed on the victim’s device, it possesses a “full-featured set of capabilities to access and exfiltrate data from the victim’s computer,” Elastic Security Labs says.

The firm claims the hackers have been using this scheme since at least April 2023, adding that the threat is still active and the tools and techniques “are being continuously developed.”

Lazarus Group shows no signs of stopping and developing new tricks to carry out its fraudulent activities. In early September, the Federal Bureau of Investigation (FBI) said the North Korea-backed hacker group was behind the attack on crypto casino Stake. As crypto.news reported, Stake suffered a hacker attack on Sep. 4, resulting in a loss of more than $40 million in crypto.