State-Sponsored_Financially_Motivated_Attacks.pdf (24 MB)

The presentation traces a North Korea-linked financially motivated intrusion against cryptocurrency targets, with Citrine Sleet activity used to show how attackers build trust through LinkedIn, Twitter, Telegram, and fake crypto organization sites. In the case study, the operators contacted a target in October 2022, moved the conversation into a Telegram group impersonating OKX staff, and delivered a weaponized Excel file named as a VIP fee comparison for OKX, Binance, and Huobi. The Excel macro used UserForm data to drop a second malicious workbook, retrieve a PNG containing two executables and an encrypted backdoor, and run malware that collected host information. The slides connect the tradecraft to DPRK interest in crypto finance, AppleJeus style fake apps, MSI-packaged lures, VBA UserForm abuse, DLL side loading, and infrastructure such as strainservice[.]com.