tldr - powered by Generative AI

• North Korean APTs have demonstrated an organization and alignment of resources and tactics to achieve common goals.
• The details of their new activity involve a mix of stagers, loaders, and payloads, some of which are part of entirely new campaigns.
• The ultimate payloads being used are ones recently uncovered, sometimes in new variant form.
• The attack setups and related components vary, revealing the North Korean threat actors' aim to confuse both organizations under attack and those tracking the groups.
• The reuse of shared infrastructure by North Korean threat actors allows researchers to widen their understanding of their activity and discover fresh indicators of compromise.
• Recent campaigns by North Korean APTs have featured two new types of malware: KandyKorn RAT and RustBucket.
• The latest campaigns show a mix-and-match approach to the previous attack flow, with attackers using different first-stage applets and application bundles to deploy the malware.
• Various RustBucket variants and new variations of SwiftLoader have been observed, including a variant called SecurePDF Viewer.
• The SwiftLoader SecurePDF Viewer.app may now be used as a later stage to deploy KandyKorn.
• Other versions of SwiftLoader, distributed in a lure called 'Crypto-assets and their risks for financial stability[.]app[.]zip,' have overlaps with the KandyKorn operation.