New macOS ‘KandyKorn’ malware targets cryptocurrency engineers

New macOS 'KandyKorn' malware targets cryptocurrency engineers

November 2, 2023 at 03:24PM

The Lazarus hacking group, believed to be linked to North Korea, has been targeting blockchain engineers of a cryptocurrency exchange platform with a new macOS malware called ‘KandyKorn’. The attackers use social engineering to trick victims into downloading a malicious ZIP file disguised as a legitimate arbitrage bot. The malware, once installed, allows the hackers to steal data and carry out various commands on the infected computer. The Lazarus group has shown a particular interest in the cryptocurrency sector for financial gain. This highlights that macOS is not immune to sophisticated malware attacks.

From the meeting notes, it is clear that a new macOS malware called ‘KandyKorn’ has been discovered. This malware is attributed to the North Korean Lazarus hacking group and is specifically targeting blockchain engineers of a cryptocurrency exchange platform.

The attackers are impersonating members of the cryptocurrency community on Discord channels to spread Python-based modules that trigger a multi-stage infection chain. The attacks have been discovered and attributed by Elastic Security, based on similarities to past Lazarus campaigns.

The attack starts on Discord with social engineering techniques to deceive targets into downloading a malicious ZIP archive named ‘Cross-platform’. The ZIP file contains a Python script (‘’) that imports 13 modules and launches the first payload, ‘’. is a downloader that unpacks and executes a second Python script called ‘’ and a Python file called ‘FinderTools’. FinderTools is a dropper that fetches and launches an obfuscated binary named ‘SugarLoader’, which establishes a connection with the command and control server to load the final payload, KandyKorn, into memory.

At the final stage of the attack, a loader known as HLoader is used to achieve persistence and hijack the Discord app on the infected system. HLoader renames itself and the legitimate Discord binary, executes both files, and renames them back to their original names.

KandyKorn is the advanced final-stage payload that allows Lazarus to access and steal data from the infected computer. It operates in the background as a daemon, waiting for commands from the command and control server. It supports various commands such as system information gathering, directory listing, file upload/download, secure deletion, process termination, and command execution.

These findings highlight that the cryptocurrency sector is a primary target for Lazarus, primarily driven by financial gain. The presence of KandyKorn indicates that macOS is within Lazarus’ targeting range, demonstrating their ability to create sophisticated and inconspicuous malware tailored for Apple computers.

Full Article