Elastic describes KANDYKORN as a macOS backdoor found during an intrusion targeting engineers at a major cryptocurrency exchange platform. The malware uses a feature-rich, multi-stage loader and a custom network protocol to support post-compromise activity, including lateral movement and data exfiltration. The abstract says the loader is heavily obfuscated, reflectively loads the backdoor in memory, and uses execution flow hijacking for persistence, which is unusual in macOS environments. The delivery tradecraft includes Discord-based social lures aimed at highly targeted victims.