North Korean threat actors behind two major macOS-targeting malware strains of 2023 \u2014 RustBucket and KandyKorn \u2014 have been found mixing the elements of these disparate attacks to evade detection, according to a SentinelOne study.\n\nThe new technique leverages the RustBucket dropper, SwiftLoader, to deliver the KandyKorn remote access trojan (RAT) payload.\n\n\u201cWe provide the first clues that RustBucket droppers and KandyKorn payloads are likely being shared as part of the same infection chain,\u201d SentinelOne said in a blog post on the findings. \u201cOur analysis corroborates findings from other researchers that North Korean-linked threat actors\u2019 tendency to reuse shared infrastructure affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise.\u201d\n\nSentinelOne also noted the use of a late-stage RustBucket payload ObjCShellz, another macOS-specific malware for executing simple shell commands from a remote C2.\n\nShared infrastructure for obfuscation\n\nRecent studies have indicated overlaps in tools and techniques used by different North Korean hacker groups, as also corroborated by a recent\u00a0Mandiant report\u00a0on the current state of North Korean cybersecurity structure.\n\n\u201cWhile different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS,\u201d Mandiant said in the report.\n\nThe obfuscation technique observed by SentinelOne is in line with this, having combined the dropper module of RustBucket, an activity cluster linked to the Lazarus Group first observed in May, to deliver the KandyKorn RAT payload, first reported by Elastic Security Labs earlier this month.\n\nThe RustBucket campaign uses a backdoored PDF viewer, SwiftLoader, to read a lure document sent to users. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in the Rust language.\n\nKandyKorn, on the other hand, is a multiphase campaign aimed at blockchain engineers working on a cryptocurrency exchange platform. The miscreants employed Python scripts to deploy malware, seizing control of the host\u2019s Discord application, and then introducing a backdoor RAT coded in C++, referred to as \u201cKandyKorn.\u201d\n\nThe shared infrastructure allows the attackers to use SwiftLoader for installing HLoader, a payload targeted at Discord application that enables persistence through frequent launches of the application, thereby evading detection. Additionally, SentinelOne found traces of\u00a0ObjCShellz\u00a0as a later-stage payload written in Objective-C to maintain persistent remote access.