Monday, May 5, 2025
Homecyber securityHackers Attacking Blockchain Engineers with Novel macOS Malware

Hackers Attacking Blockchain Engineers with Novel macOS Malware

Published on

SIEM as a Service

Follow Us on Google News

The frequency of hackers exploiting macOS flaws varies over time, but Apple continuously releases security updates to patch vulnerabilities. 

While macOS is generally considered more secure than some other operating systems but, it is not immune to exploitation, and hackers may target it, especially if they discover new vulnerabilities.

Recently, cybersecurity researchers at Elastic Security Labs identified that hackers are actively attacking blockchain engineers of a crypto exchange platform with a new macOS malware.

- Advertisement - Google News

Novel macOS Malware

For initial access and post-exploitation, the breach used custom and open-source tools. It was detected during the analysis of a macOS endpoint involving a Python app disguised as a crypto bot in a Discord direct message.

Document
FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

This activity is linked to DPRK and shares similarities with the Lazarus Group, and security analysts labeled it REF7001 by considering the following elements:-

  • Techniques
  • Infrastructure
  • Certificates
  • Detection rules

Malicious actors posed as blockchain community members on a public Discord, duping an individual into downloading a deceptive ZIP file. The victim mistook it for a crypto arbitrage bot, leading to an initial compromise.

This marked the start of REF7001’s malware sequence, ultimately leading to ‘KANDYKORN”:-

  • Stage 0 (Initial Compromise) – Watcher.py
  • Stage 1 (Dropper) – testSpeed.py and FinderTools
  • Stage 2 (Payload) – .sld and .log – SUGARLOADER
  • Stage 3 (Loader)- Discord (fake) – HLOADER
  • Stage 4 (Payload) – KANDYKORN

Both stage 3 and stage 4 executables share the same encrypted RC4 protocol for C2 communication, using a consistent key. These samples wrap send-and-receive system calls, encrypting data before sending and decrypting before processing.

During initialization, a handshake occurs between the malware and the C2, and if the handshake fails, the attack halts.

The client sends a random number to the C2, which responds with a nonce, and then a challenge is computed by the client and sent to the server.

After the connection, the client shares its ID and awaits server commands. All data exchanged follows a consistent serialization pattern:-

  • Length
  • Payload
  • Return code to track errors

REF7001 involved the adversary obtaining payloads and loaders from the network infrastructure. They distributed the initial malware archive via a Google Drive link in a blockchain Discord server.

Besides this, two C2 servers were detected during the REF7001 analysis, and they are mentioned below:-

  • tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • 23.254.226[.]90

DPRK’s LAZARUS GROUP targets crypto firms for stolen coins to evade sanctions. They trick blockchain engineers on a chat server, promising money but infecting victims who interact.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

NCSC Warns of Ransomware Attacks Targeting UK Organisations

National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber...

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

NCSC Warns of Ransomware Attacks Targeting UK Organisations

National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber...

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...