Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution of malicious code.
All these documents contain malicious code or macros, often disguised as familiar files, which help hackers gain unauthorized access and deliver malware to their targets.
Recently, the cybersecurity researchers at SentinelOne reported that North Korean hackers are actively attacking the macOS using weaponized documents.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
North Korean threat actors focused on macOS in 2023 with two major campaigns, and here below, we have mentioned those major campaigns:-
RustBucket employed ‘SwiftLoader,’ disguising itself as a PDF Viewer, to deliver a Rust-written second-stage malware.
While in the KandyKorn campaign, Python scripts targeted blockchain engineers, delivering a C++ backdoor RAT named ‘KandyKorn’ after hijacking the Discord app on hosts.
A five-stage attack targeted users through Discord, using social engineering to trick them into downloading a malicious Python app.
This Python app is disguised as a crypto arbitrage bot that is distributed as Cross-Platform “Bridges.zip,” and the app contains several harmless Python scripts.
Here below, we have mentioned all the stages:-
North Korean threat actors have an evolving campaign named RustBucket, using the Swift-based app SecurePDF Viewer.app. It’s signed by “BBQ BAZAAR PRIVATE LIMITED” and reaches out to docs-send.online.
Another variant, Crypto-assets app.zip, signed by “Northwest Tech-Con Systems Ltd,” connects to on-global.xyz, dropping an executable at /Users/Shared/.pw.
This .pw file, associated with KandyKorn, references /Users/Shared/.pld, matching KandyKorn RAT, indicating shared infrastructure, objectives, and TTPs.
SUGARLOADER
HLOADER
KANDYKORN RAT
ObjCShell
SecurePDF Viewer
Crypto-assets and their risks for financial stability.app
Downloader
Remotely-hosted AppleScript
Network Communications
File paths
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
A newly disclosed denial-of-service (DoS) vulnerability in Palo Alto Networks’ PAN-OS software enables attackers to…
The open-source Linux firewall solution, IPFire, has officially released its latest version, IPFire 2.29 - Core Update…
A sophisticated new red team technique dubbed "RemoteMonologue" has emerged, enabling attackers to remotely harvest…
The OpenSSH team has announced the release of OpenSSH 10.0 on April 9, marking an important milestone…
Palo Alto Networks has disclosed a medium-severity vulnerability (CVE-2025-0127) in its PAN-OS software, enabling authenticated…
Trend Micro, a cybersecurity firm, has released its 50th installment report on the Russian-speaking cybercriminal…