Cybersecurity · · 2 min read

The Evolving Threat of DPRK's Cyber Campaigns: RustBucket and KandyKorn

The Evolving Threat of DPRK's Cyber Campaigns: RustBucket and KandyKorn

As the landscape of cybersecurity continues to evolve, North Korean-aligned actors have made significant advancements in 2023, particularly targeting macOS systems. Two major campaigns have emerged: RustBucket and KandyKorn. This article delves into the intricate mechanisms of these campaigns, their implications, and the measures to counteract these threats.

The RustBucket Campaign

RustBucket, initially disclosed by JAMF, marked the beginning of a sophisticated cyber offensive. The campaign initially deployed a first-stage AppleScript applet and a Swift-based application bundle named ‘Internal PDF’. This application utilized specially crafted PDFs to download a Rust-based payload. As the campaign progressed, several variants of the Swift-based stager, SwiftLoader, were identified. In a notable development, a variant called ‘SecurePDF’ was discovered, which had been signed and notarized by Apple (since revoked). This variant demonstrated the campaign’s capability to adapt and evolve, targeting systems running at least macOS 12.6 (Monterey) and compatible with both Intel and Apple silicon devices​​.

The KandyKorn Intrusion

KandyKorn presented a more elaborate and multi-stage operation, initially targeting blockchain engineers at a crypto exchange platform. The attack commenced with social engineering tactics on Discord, where users were tricked into downloading a malicious Python application disguised as a cryptocurrency arbitrage bot. This application, distributed as ‘Cross-Platform’, contained benign-looking Python scripts. The attack unfolded in stages, beginning with the execution of a script named ‘’, followed by the downloading of further scripts like ‘’ and ‘FinderTools’. Subsequent stages involved the deployment of malware like SUGARLOADER and HLOADER, which hijacked the host’s Discord application and introduced backdoor capabilities.

The Intersection of RustBucket and KandyKorn

The intersection of these two campaigns is a recent and alarming development. Analysis indicates that DPRK threat actors are now combining elements from both RustBucket and KandyKorn. This “mixing and matching” of components suggests a more adaptive and sophisticated approach to cyber warfare. For instance, SwiftLoader droppers, initially part of the RustBucket campaign, are now being used to deliver KandyKorn payloads. This convergence presents new challenges for cybersecurity teams and necessitates a heightened level of vigilance and adaptability​​​​​​​​​​.

Defense Against These Threats

In response to these emerging threats, cybersecurity firms like SentinelOne have stepped up their game. SentinelOne's Singularity platform is equipped to detect and protect against all known components of the KandyKorn and RustBucket malware. This proactive stance highlights the importance of advanced cybersecurity measures in the face of evolving threats​​.


The evolution of the RustBucket and KandyKorn campaigns signifies a new era in cyber warfare, where threats are becoming more intricate and adaptive. The blending of tactics and tools from different campaigns demonstrates the agility of these threat actors. Organizations, particularly those using macOS systems, must stay abreast of these developments and fortify their defenses accordingly. Collaboration between cybersecurity firms and continuous innovation in defense strategies will be crucial in mitigating the risks posed by such sophisticated cyber threats.

Read next