North Korea's Lazarus Group has leveraged the backdoored PDF reader app SwiftLoader used in the RustBucket campaign to facilitate the deployment of the KANDYKORN macOS malware in a bid to better evade detection, according to The Hacker News.
Novel SwiftLoader stager variants purporting to be the EdoneViewer executable have been utilized by attackers to enable KANDYKORN RAT retrieval, according to a SentinelOne report.
Such findings, which follow an AhnLab Security Emergency Response Center report linking Lazarus subgroup Andariel to attacks exploiting Apache ActiveMQ flaws to deliver the TigerRAT and NukeSped malware, indicate the increased sharing of tools and techniques between North Korean threat operations.
"The DPRK's cyber landscape has evolved to a streamlined organization with shared tooling and targeting efforts. This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability," said Mandiant.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.