DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads
2023-11-27 • Sentinel One •
SentinelOne links two 2023 DPRK-aligned macOS campaigns, RustBucket and KandyKorn, and reports that SwiftLoader droppers are being reused to deliver KandyKorn payloads. RustBucket used PDF viewer lures and SwiftLoader to fetch later-stage Rust malware, while KandyKorn targeted blockchain engineers through Discord social engineering and a fake cryptocurrency arbitrage bot. The observed chain includes Python scripts, SUGARLOADER, HLOADER persistence inside the Discord app bundle, configuration retrieval from com.apple.safari.ck, and in-memory execution of the KANDYKORN RAT over C2 infrastructure such as tp-globa.xyz and 23.254.226.90.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 104.168.214.151 | 2023-11-07 | 2025-10-28 |
| IPv4 | 23.254.226.90 | 2023-11-01 | 2024-09-09 |
| DOMAIN | on-global.xyz | 2023-11-27 | 2023-12-05 |
| HASH | 62267b88fa6393bc1f1eeb778e4da6b… | 2023-11-27 | 2023-11-27 |
| HASH | e275deb68cdff336cb4175819a09dba… | 2023-11-27 | 2023-11-27 |
| HASH | 26ec4630b4d1116e131c8e2002e9a3e… | 2023-11-27 | 2023-11-27 |
| HASH | 060a5d189ccf3fc32a758f1e218f814… | 2023-11-27 | 2023-11-27 |
| HASH | a1a8a855f64a6b530f5116a3785a693… | 2023-11-27 | 2023-11-27 |
| HASH | 5c93052713f317431bf232a2894658a… | 2023-11-27 | 2023-11-27 |
| HASH | c806c7006950dea6c20d3d2800fe46d… | 2023-11-27 | 2023-11-27 |
| HASH | d28830d87fc71091f003818ef08ff0b… | 2023-11-27 | 2023-11-27 |
| HASH | 9f97edbc1454ef66d6095f979502d17… | 2023-11-27 | 2023-11-27 |
| HASH | ac336c5082c2606ab8c3fb023949dfc… | 2023-11-27 | 2023-11-27 |
| HASH | ce3705baf097cd95f8f696f330372dd… | 2023-11-27 | 2023-11-27 |
| HASH | e68bfa72a4b4289a4cc688e81f9282b… | 2023-11-27 | 2023-11-27 |
| HASH | e77270ac0ea05496dd5a2fbccba3e24… | 2023-11-27 | 2023-11-27 |
| HASH | 884cebf1ad0e65f4da60c04bc31f62f… | 2023-11-27 | 2023-11-27 |
| HASH | 09ade0cb777f4a4e0682309a4bc1d0f… | 2023-11-27 | 2023-11-27 |
| HASH | 8f6c52d7e82fbfdead3d66ad8c52b37… | 2023-11-27 | 2023-11-27 |
| HASH | be903ded39cbc8332cefd9ebbe7a66d… | 2023-11-27 | 2023-11-27 |
| HASH | 3c887ece654ea46b1778d3c7a8a6a7c… | 2023-11-27 | 2023-11-27 |
| HASH | 46ac6dc34fc164525e6f7886c8ed5a7… | 2023-11-27 | 2023-11-27 |
| HASH | 43f987c15ae67b1183c4c442dc3b784… | 2023-11-27 | 2023-11-27 |
| HASH | e244ff1d8e66558a443610200476f98… | 2023-11-27 | 2023-11-27 |
| HASH | 8d5d214c490eae8f61325839fcc1727… | 2023-11-27 | 2023-11-27 |
| HASH | c45f514a252632cb3851fe45bed34b1… | 2023-11-27 | 2023-11-27 |
| URL | http://on-global.xyz/Of56cYsfVV… | 2023-11-27 | 2023-11-27 |
| URL | https://swissborg.blog/tx/10299… | 2023-11-27 | 2023-11-27 |
| URL | http://docs-send.online/getBala… | 2023-11-27 | 2023-11-27 |
| URL | http://tp-globa.xyz/OdhLca1mLUp… | 2023-11-27 | 2023-11-27 |
| DOMAIN | tp.globa.xyz | 2023-11-27 | 2023-11-27 |
| DOMAIN | docs-send.online | 2023-11-27 | 2023-11-27 |
| IPv4 | 142.11.209.144 | 2023-11-27 | 2023-11-27 |
| HASH | 79337ccda23c67f8cfd9f43a6d3cf05… | 2023-11-07 | 2023-11-27 |
| URL | http://swissborg.blog/zxcv/bnm | 2023-11-07 | 2023-11-27 |
| DOMAIN | swissborg.blog | 2023-11-07 | 2023-11-27 |
| DOMAIN | tp-globa.xyz | 2023-11-01 | 2023-11-27 |
| IPv4 | 192.119.64.43 | 2023-11-01 | 2023-11-27 |