North Korea's Lazarus Group has leveraged the backdoored PDF reader app SwiftLoader used in the RustBucket campaign to facilitate the deployment of the KANDYKORN macOS malware in a bid to better evade detection, according to The Hacker News.
Novel SwiftLoader stager variants purporting to be the EdoneViewer executable have been utilized by attackers to enable KANDYKORN RAT retrieval, according to a SentinelOne report.
Such findings, which follow an AhnLab Security Emergency Response Center report linking Lazarus subgroup Andariel to attacks exploiting Apache ActiveMQ flaws to deliver the TigerRAT and NukeSped malware, indicate the increased sharing of tools and techniques between North Korean threat operations.
"The DPRK's cyber landscape has evolved to a streamlined organization with shared tooling and targeting efforts. This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability," said Mandiant.