January 5, 2024 at 03:06PM
TA444, a North Korean state-backed threat actor, has introduced “SpectralBlur,” a new macOS-targeting malware. It offers various capabilities, including file upload/download, shell execution, and command execution. This development underscores the group’s consistent generation of proprietary malware. The malware shares similarities with Lazarus Group’s tools, indicating a significant focus on macOS users by North Korean attackers.
From the meeting notes, it is clear that the North Korean state-backed threat actor TA444 has launched a new malware called “SpectralBlur” targeting macOS users. The malware is described as a moderately capable backdoor allowing file uploads/downloads, shell execution, configuration updates, file deletion, hibernation, and sleep based on commands from a command-and-control server. TA444 is known for consistently generating proprietary malware, which sets it apart from other DPRK-sponsored threats. It is also noted that SpectralBlur shares similarities with the KandyKorn macOS data stealer, which is linked to the Lazarus Group. This suggests that macOS users are increasingly becoming a focus for North Korean nation-state attackers, particularly TA444. Additionally, it was emphasized that TA444 excels in malware creation, specifically in the form of post-exploitation backdoors like SpectralBlur and KandyKorn, indicating a dedicated malware development element within the group.