North Korea-linked AppleJeus: A Profile of G1049, a State-Sponsored Cybercrime Group
- Suspected Origin
- North Korea
- Motivation
- Financial Gain, Revenue Generation
- Aliases
- Gleaming Pisces, Citrine Sleet, UNC1720, UNC4736
- Target Sectors
- Cryptocurrency, Decentralized Finance, Financial Technology, Financial Services, Technology, Government, Defense, Telecommunications
- Associated Malware
- AppleJeus, FudModule, ICONICSTEALER, VEILEDSIGNAL, POOLRAT, PondRAT, KandyKorn, Sugarloader, Hloader, TAXHAUL, Coldcat, RemotePE, ThemeForestRAT, SUDDENICON
Overview
AppleJeus, tracked by MITRE ATT&CK as G1049, is a sophisticated North Korean state-sponsored threat group operating under the umbrella of the broader Lazarus Group. Attributed to the Reconnaissance General Bureau (RGB), specifically Bureau 121, this actor is also known by various aliases including Gleaming Pisces, Citrine Sleet, UNC1720, UNC4736, and HIDDEN COBRA. Active since at least 2018, AppleJeus’s primary mission is to generate and launder revenue for the North Korean regime. This financial imperative aims to circumvent international sanctions and fund state priorities, including its weapons programs.
The group predominantly targets the cryptocurrency industry, encompassing decentralized finance (DeFi), financial technology (FinTech), and financial services firms. Their victims often include cryptocurrency exchanges, blockchain-based gaming companies, and high-value individuals such as blockchain engineers and software developers. While financial gain is the core motivation, their operations sometimes exhibit overlaps in tools and infrastructure with other DPRK-aligned groups like TEMP.hermit, Diamond Sleet, and APT43, suggesting a degree of shared resources or tasking which can blur the lines with intelligence gathering. Beyond direct financial targets, AppleJeus has also compromised entities in the technology, government, defense, and telecommunications sectors, often as a means to achieve initial access for downstream financial exploitation or to facilitate supply chain attacks.
Tactics & Techniques
AppleJeus employs a diverse and evolving set of tactics and techniques to achieve its objectives, consistently demonstrating a high level of operational sophistication.
Their Initial Access methods frequently involve advanced social engineering and phishing. They conduct spear-phishing campaigns, leveraging social networking and impersonation to convince victims to download malicious software. A common technique involves creating fake websites that meticulously mimic legitimate cryptocurrency trading platforms or job opportunities. Recent operations highlight “long-con” social engineering, where the group invests months in building trust with targets, even engaging in in-person meetings with fabricated identities to bypass suspicion.
Supply chain compromise is a signature tactic. A notable instance is the 3CX Supply Chain Attack, where AppleJeus (UNC4736) orchestrated a cascading, two-stage intrusion. They initially compromised the legitimate website of Trading Technologies International, Inc. to host a trojanized version of their X_TRADER software. This initial compromise provided them access to the 3CX environment, allowing them to then modify 3CX’s Windows and macOS build environments and distribute malicious updates to 3CX’s customer base.
AppleJeus extensively utilizes trojanized applications, disguising their malware as legitimate cryptocurrency trading and wallet applications like Celas Trade Pro, Union Crypto Trader, and BloxHolder. They have also demonstrated the capability to exploit zero-day vulnerabilities. In August 2024, Citrine Sleet (AppleJeus) was observed actively exploiting CVE-2024-7971, a Chromium zero-day, often paired with a Windows kernel vulnerability (CVE-2024-38106) to bypass browser sandboxes and gain system-level access. More recently, in September 2024, Gleaming Pisces (AppleJeus) engaged in a poisoned open-source packages campaign, distributing malicious Python packages on PyPI to deliver Linux and macOS backdoors, primarily targeting developers.
For Execution and Persistence, the group often relies on user execution of malicious installers. They establish persistence by installing malware as Windows services or creating scheduled SYSTEM tasks, and on macOS, they employ postinstall scripts and LaunchDaemon persistence. They leverage advanced techniques like DLL side-loading and reflective code loading to load payloads directly into memory, enhancing evasion. Malware is sometimes programmed with delay execution mechanisms, generating future timestamps and sleeping until the specified time.
Their Defense Evasion strategies are robust. AppleJeus uses stolen, forged, or legitimate code-signing certificates to sign malicious software, including certificates associated with reputable companies, making their implants appear legitimate. They extensively employ obfuscation, encrypting/encoding payloads and obscuring strings and API calls with custom algorithms. They also use techniques like hiding files and folders (e.g., adding a leading dot to macOS plist filenames) and deploying sophisticated rootkits such as FudModule to achieve kernel-level persistence and thwart security software.
Discovery and Collection often involve host profiling to exfiltrate system information like BIOS serial numbers, operating system details, and device serial numbers. They utilize tools like ICONICSTEALER to steal browser information, including history, and deploy additional malware like Gopuram and Mimikatz for credential theft.
For Command and Control (C2), AppleJeus establishes encrypted channels using ciphers like AES-256 GCM and RC4. They can leverage cookie headers for data over HTTPS and even host encrypted C2 server details on legitimate services like GitHub.
The ultimate Impact of AppleJeus operations is almost always financial theft, primarily targeting cryptocurrency and other digital assets.
Notable Campaigns
AppleJeus has been linked to numerous high-impact campaigns, consistently refining its methods to maximize financial gain.
- Operation AppleJeus (Since 2018): This enduring campaign defines the group’s initial and ongoing strategy of distributing trojanized cryptocurrency trading applications. Early variants mimicked platforms such as Celas Trade Pro, WorldBit-Bot, and Union Crypto Trader, targeting both Windows and macOS users.
- BloxHolder Campaign (June - October 2022): The group registered deceptive domains like bloxholder[.]com, creating clones of legitimate trading platforms (e.g., HaasOnline) to distribute AppleJeus malware. This was often achieved via weaponized Microsoft Office documents or MSI installers, bundling their malicious code with open-source applications like QTBitcoinTrader.
- 3CX Supply Chain Attack (C0057, November 2022 - March 2023): This complex attack, also known as “SmoothOperator,” began with AppleJeus (UNC4736) compromising the website of Trading Technologies International, Inc. to distribute a trojanized version of their X_TRADER software. This led to an initial breach of a 3CX employee, allowing the attackers to then compromise 3CX’s Windows and macOS build environments. Maliciously modified updates for the 3CX Desktop App, digitally signed by 3CX and notarized by Apple, were subsequently distributed to customers. These updates delivered information-stealing malware (SUDDENICON, ICONICSTEALER) and multi-stage backdoors (VEILEDSIGNAL, Gopuram) to high-value targets in the defense and cryptocurrency sectors.
- Chromium Zero-Day Campaign (August 2024): Citrine Sleet (AppleJeus/UNC4736) was identified actively exploiting CVE-2024-7971, a zero-day in Chromium, combined with a Windows kernel vulnerability (CVE-2024-38106). Targets were lured to attacker-controlled domains (e.g., voyagorclub[.]space), where the exploit chain delivered the FudModule rootkit.
- Poisoned Python Packages Campaign (Ongoing as of September 2024): Gleaming Pisces (AppleJeus) uploaded malicious Python packages (e.g.,
real-ids,coloredtxt,beautifultext,minisound) to the PyPI repository. These packages served as a vector to deliver Linux and macOS backdoors, including PondRAT, indicating a strategic targeting of software developers and their machines through supply chain compromise. - Radiant Capital Heist (October 2024): UNC4736 was attributed to a theft of approximately $50 million. This incident involved social engineering, where attackers posed as known contacts and delivered malware through file shares on messaging platforms.
- PondRAT, ThemeForestRAT, and RemotePE Campaign (2024): This campaign, also linked to AppleJeus and its aliases, targeted the decentralized finance (DeFi) sector. It involved social engineering to deliver three distinct cross-platform malware families: PondRAT, ThemeForestRAT, and RemotePE.
- KandyKorn Campaign (Late 2023): This operation saw North Korean hackers, associated with the broader Lazarus Group, target blockchain engineers working for cryptocurrency exchanges. They used public Discord servers to impersonate community members, tricking victims into downloading malicious Python applications disguised as arbitrage bots, which ultimately delivered the KandyKorn macOS malware.
- Drift Protocol Heist (April 2026): In a sophisticated, six-month social engineering campaign, UNC4736 (AppleJeus) successfully defrauded Drift Protocol, a decentralized perpetual futures exchange on the Solana blockchain. Posing as a legitimate quantitative trading firm, the threat actors built extensive trust, including through in-person meetings at international conferences and even depositing their own capital, before executing a rapid 12-minute operation that stole approximately $285 million in user assets.
Associated Malware & Tools
AppleJeus leverages a mix of custom-developed malware, shared tools, and publicly available utilities:
- AppleJeus: The foundational trojanized cryptocurrency trading and wallet application malware family, designed for cryptocurrency theft and backdoor access.
- FudModule: A sophisticated, data-only Windows rootkit that operates at the kernel level for deep persistence and evasion, notably shared with Diamond Sleet.
- ICONICSTEALER: An information stealer, specifically a dataminer, used to exfiltrate browser-related information, including browsing history.
- VEILEDSIGNAL: A complex, multi-stage modular backdoor designed for Windows systems.
- POOLRAT: A remote administration tool (RAT) primarily targeting macOS, with newer Linux variants also identified, demonstrating cross-platform capabilities.
- PondRAT: A more compact and lighter version of POOLRAT, functioning as a cross-platform (Linux/macOS) backdoor with file upload/download and arbitrary command execution capabilities.
- KandyKorn: A highly advanced macOS backdoor used as a final-stage payload. It offers extensive capabilities for data access, exfiltration, process manipulation, and arbitrary command execution, employing encrypted RC4 for C2 communication.
- Sugarloader & Hloader: Intermediate components within the KandyKorn infection chain, responsible for initial access, loading subsequent stages, and establishing persistence (Hloader notably masquerades as the legitimate Discord application).
- COLDCAT: A C2 communication module, observed using cookie headers to exfiltrate data over HTTPS.
- SUDDENICON: A downloader used in campaigns like the 3CX attack, designed to retrieve additional C2 server details from encrypted icon files hosted on platforms like GitHub.
- TAXHAUL, RemotePE, ThemeForestRAT: Additional malware strains and cross-platform families used in various operations.
- SigFlip: A tool employed to inject arbitrary code into already signed executable files without invalidating their digital signatures, a technique to maintain legitimacy.
- DAVESHELL: A publicly available open-source project that AppleJeus leverages to convert PE-COFF files into position-independent code, facilitating reflective loading of payloads into memory.
- Fast Reverse Proxy: Used for lateral movement within compromised networks.
Current Status
AppleJeus (G1049) remains a highly active and adaptive threat group, consistently demonstrating sophisticated capabilities and a persistent focus on financial cybercrime. Recent reports from 2024 and 2026 confirm their ongoing evolution and operational tempo.
The April 2026 Drift Protocol Heist vividly illustrates their current investment in sophisticated, long-term social engineering, including in-person interactions, to execute significant cryptocurrency thefts. This highlights a trend of integrating deeply embedded human elements into their attack chains.
In September 2025, a campaign targeting the DeFi sector delivered the new PondRAT, ThemeForestRAT, and RemotePE malware families through social engineering, underscoring their continued focus on decentralized finance and developing new cross-platform tools.
Earlier, in September 2024, Gleaming Pisces (AppleJeus) was observed distributing PondRAT for Linux and macOS via poisoned Python packages uploaded to the PyPI repository. This indicates an ongoing commitment to supply chain compromises targeting developers. In August 2024, Microsoft reported that Citrine Sleet (AppleJeus) was actively exploiting a Chromium zero-day (CVE-2024-7971) in conjunction with a Windows kernel vulnerability to deploy the FudModule rootkit against cryptocurrency targets.
The development of new cross-platform malware, such as KandyKorn for macOS in late 2023, and their consistent use of advanced evasion techniques like kernel-level rootkits and reflective code loading, underscore their persistent and high-threat nature. Their continued focus on the cryptocurrency and DeFi sectors, combined with their willingness to invest significant time and resources into multi-stage social engineering and exploit zero-day vulnerabilities, ensures AppleJeus remains a critical threat to organizations and individuals operating in these spaces.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call