Palo Alto Networks in the new report described the activities of hacker groups related to the intelligence of North Korea. The groups, often known collectively as Lazarus, work on behalf of the DPRK government and are involved in cyber espionage, financial crimes, and destructive attacks on various industries globally.
The report delves into RGB, a structure comprised of multiple departments, each with specific goals and specializations. Six key groups within this structure have been identified:
- Alluring Pisces (Bluenoroff) – targets financial institutions, cryptocurrency companies, and ATMs, responsible for large cyber heists.
- Gleaming Pisces (Citrine Sleet) – attacks companies dealing with cryptocurrency, linked to the Applejeus campaign distributing fake cryptocurrency applications.
- Jumpy Pisces (Andariel) – focuses on cyber espionage and carrying out attacks utilizing top-tier programs.
- Selective Pisces (TEMP.HERMIT) – targets media, defense, and IT companies, engaging in spying and destructive network attacks.
- Slow Pisces (Tradertraitor) – known for attacking blockchain companies and participating in supply chain attacks, distributing malicious applications like Tradertraitor.
- Sparkling Pisces (Kimsuky) – primarily involved in intelligence gathering with funding sourced from cyber intrusions.
The report also analyzes 10 recently discovered families of malware developed by North Korean groups, targeting Windows, MacOS, and Linux. These programs are utilized for various types of attacks including data collection, hacking corporate networks, and distributing ransomware.
Among the highlighted malicious programs are Rustbucket, Kandykorn, Smoothoprator, Objcshellz, and Fullhouse, each performing a range of functions from system infiltration to device control and data theft.
Rustbucket is a notable multi-stage malware for MacOS that was unearthed in 2023, featuring complex components that make detection and removal challenging. Kandykorn is another intricate multi-stage attack that initiates with social engineering tactics to trick victims into launching a disguised malicious script.
Furthermore, the report mentions Smoothoparator, used to target users of