CyberVeille.chApr 14

📢 Vol de 280 M$ sur Drift : opération sophistiquée de 6 mois attribuée à UNC4736 (Corée du Nord)
📝 ## 🗓️ Contexte

Source : The Record Media, publié le 10 avril 2026.
📖 cyberveille : https://cyberveille.ch/posts/2026-04-14-vol-de-280-m-sur-drift-operation-sophistiquee-de-6-mois-attribuee-a-unc4736-coree-du-nord/
🌐 source : https://therecord.media/drift-crypto-theft-post-mortem-north-korea
#AppleJeus #Citrine_Sleet #Cyberveille

Vol de 280 M$ sur Drift : opération sophistiquée de 6 mois attribuée à UNC4736 (Corée du Nord)

🗓️ Contexte Source : The Record Media, publié le 10 avril 2026. Drift, une plateforme de cryptomonnaies, a publié un post-mortem complet décrivant une opération de compromission longue de six mois attribuée au groupe nord-coréen UNC4736, également suivi sous les noms AppleJeus et Citrine Sleet. 🎭 Déroulement de l’opération L’opération a débuté environ six mois avant le vol, lorsque des membres d’une société fictive de trading quantitatif ont approché des contributeurs de Drift lors d’une conférence crypto. Ces individus :

CyberVeille
lazarusholicApr 1, 2025
"Demystifying the North Korean Threat" published by Paradigm. #AppleJeus, #ITWorker, #Lazarus, #Trend, #DangerousPassword, #TraderTraitor, #DPRK, #CTI https://www.paradigm.xyz/2025/03/demystifying-the-north-korean-threat
Demystifying the North Korean Threat

There’s more to the DPRK than just Lazarus Group.

Paradigm
WRAVEN ProjectFeb 19, 2025

🚨 New Malware Report 🚨

AppleJeus malware is hijacking wallets & stealing funds. Don't be the next victim!

Read the report! 🔗 https://bit.ly/3QoD5hp

#CryptoSecurity #LazarusGroup #AppleJeus #WRAVEN

WRAVEN | AppleJeus Report

A Report on the AppleJeus Malware from WRAVEN researchers

lazarusholicJan 20, 2025
"Beware of Contacts through LinkedIn: They Target Your Organization’s Property, Not Yours" published by JPCERT. #AppleJeus, #DangerousPassword, #DreamJob, #Lazarus, #DPRK, #CTI https://blogs.jpcert.or.jp/en/2025/01/initial_attack_vector.html
Beware of Contacts through LinkedIn: They Target Your Organization’s Property, Not Yours - JPCERT/CC Eyes

There have recently been reports of unau...

JPCERT/CC Eyes
lazarusholicJan 10, 2025
"あなたではなく組織の財産を狙うLinkedIn経由のコンタクトにご用心" published by JPCERT. #AppleJeus, #DangerousPassword, #DreamJob, #Lazarus, #DPRK, #CTI https://blogs.jpcert.or.jp/ja/2025/01/initial_attack_vector.html
あなたではなく組織の財産を狙うLinkedIn経由のコンタクトにご用心 - JPCERT/CC Eyes

報道等でご承知のとおり、国内にてLinkedInを初期感染経路とする不正アクセス...

JPCERT/CC Eyes
BGDon 🇨🇦 🇺🇸 👨‍💻Dec 24, 2024

Crypto hacks now seem like daily occurrences - one recent example:

Radiant Capital says North Korean threat actors are behind the $50M cryptocurrency heist that occurred after hackers breached its systems on Oct 16.

Hackers spoofed a former software contractor tricking a staffer to download a malicious ZIP file containing a decoy PDF file and a malware payload named "'InletDrift". https://www.bleepingcomputer.com/news/security/radiant-links-50-million-crypto-heist-to-north-korean-hackers/

#cyberattack #NorthKorea #UNC4736 #AppleJeus #Crypto #DiFi #Ethereum #blockchain #InletDrift

Radiant links $50 million crypto heist to North Korean hackers

Radiant Capital now says that North Korean threat actors are behind the $50 million cryptocurrency heist that occurred after hackers breached its systems in an October 16 cyberattack.

BleepingComputer
lazarusholicDec 10, 2024
"Radiant Capital Incident Update" published by RadiantCapital. #AppleJeus, #Radiant, #UNC4736, #DPRK, #CTI https://medium.com/@RadiantCapital/radiant-capital-incident-update-e56d8c23829e
Radiant Capital Incident Update - Radiant Capital - Medium

We have an important update on the October 16, 2024 incident in which Radiant Capital was targeted by a highly sophisticated cyberattack that resulted in a loss valued at approximately $50M USD. On…

Medium
The Hacker NewsApr 4, 2023

Originally posted by The Hacker News / @TheHackersNews: http://nitter.platypush.tech/TheHackersNews/status/1643101750553899008#m

R to @TheHackersNews: The link to North Korea comes from Gopuram's co-existence with #AppleJeus, a backdoor attributed to the Lazarus Group.

This group has a recurring focus on the financial industry, which aligns with the targeting of #crypto companies.

The Hacker News (@TheHackersNews)

The link to North Korea comes from Gopuram's co-existence with #AppleJeus, a backdoor attributed to the Lazarus Group. This group has a recurring focus on the financial industry, which aligns with the targeting of #crypto companies.

Nitter
Volexity Dec 20, 2022

Microsoft’s Security Threat Intel team described an attack where a threat actor was targeting cryptocurrency investment companies. Thanks to Microsoft for sharing their analysis and referencing our research about a recent #AppleJeus campaign!

https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/

DEV-0139 launches targeted attacks against the cryptocurrency industry - Microsoft Security Blog

Microsoft security researchers investigate an attack where the threat actor, tracked DEV-0139, used chat groups to target specific cryptocurrency investment companies and run a backdoor within their network.

Microsoft Security Blog
Security AffairsDec 5, 2022
#Lazarus #APT uses fake #cryptocurrency apps to spread #AppleJeus #Malware
https://securityaffairs.co/wordpress/139290/apt/lazarus-apt-bloxholder-campaign.html
#securityaffairs #hacking
Lazarus APT uses fake cryptocurrency apps to spread AppleJeus Malware

The North Korea-linked Lazarus APT spreads fake cryptocurrency apps under the fake brand BloxHolder to install the AppleJeus malware. Volexity researchers warn of a new malware campaign conducted by the North Korea-linked Lazarus APT against cryptocurrency users. The threat actors were observed spreading fake cryptocurrency apps under the fake brand BloxHolder to deliver the AppleJeus […]

Security Affairs