AppleJeus
AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader Lazarus Group umbrella of actors, AppleJeus has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella.[1] The group’s primary mission is to generate and launder revenue to provide financial support to the government. AppleJeus primarily targets the cryptocurrency industry and is most notably responsible for the 3CX Supply Chain Attack.[2] The group traditionally deploys malicious cryptocurrency software in combination with Phishing. From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets.[3][4]
Associated Group Descriptions
Campaigns
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
During the 3CX Supply Chain Attack, AppleJeus's COLDCAT C2 leverages cookie headers to contain data over HTTPS. Cookies also contain hardcoded variables |
| Enterprise | T1217 | Browser Information Discovery |
During the 3CX Supply Chain Attack, AppleJeus leveraged ICONICSTEALER to steal browser information to include browser history located on the infected host.[8][2][9] |
|
| Enterprise | T1543 | .004 | Create or Modify System Process: Launch Daemon |
During the 3CX Supply Chain Attack, AppleJeus installs a Launch Daemon to execute the POOLRAT macOS backdoor software.[2] |
| Enterprise | T1678 | Delay Execution |
During the 3CX Supply Chain Attack, AppleJeus's software generates a randomly selected date that is between 1-4 weeks in the future. This timestamp is then checked against the current time of the compromised machine, and the malware will sleep until that time is encountered.[7] |
|
| Enterprise | T1189 | Drive-by Compromise |
During the 3CX Supply Chain Attack, AppleJeus compromised the |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL communication module supports three commands to conduct the following actions: send implant data, execute shellcode, and terminate itself.[2] |
| Enterprise | T1546 | .016 | Event Triggered Execution: Installer Packages |
During the 3CX Supply Chain Attack, AppleJeus added a malicious .dylib file to a .dmg installer package for the macOS 3CX application.[7] |
| Enterprise | T1203 | Exploitation for Client Execution |
During the 3CX Supply Chain Attack, AppleJeus leveraged the Chrome vulnerability, CVE-2022-0609, in combination with a Drive-by Compromise website.[2] |
|
| Enterprise | T1657 | Financial Theft |
AppleJeus has targeted the cryptocurrency industry with the goal of stealing digital assets.[3] |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
During the 3CX Supply Chain Attack, AppleJeus splits functionally across multiple .dll files using export functions, such as DLLGetClassObject, to execute code from an embedded .dll file within another .dll file. AppleJeus has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence.[7][2] |
| Enterprise | T1559 | Inter-Process Communication |
During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL creates and listens on a Windows named pipe to exchange messages between modules.[2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
During the 3CX Supply Chain Attack, AppleJeus payloads use AES-256 GCM cipher to encrypt data to include ICONICSTEALER and VEILEDSIGNAL.[8][2] |
|
| .009 | Embedded Payloads |
During the 3CX Supply Chain Attack, AppleJeus uses embedded .dll as apart of a chained delivery mechanism to invoke the COM class factory.[7] |
||
| .013 | Encrypted/Encoded File |
During the 3CX Supply Chain Attack, AppleJeus encrypts its dynamic library files (.dll) using RC4, and when loaded only decrypts specific portions of the file using the key |
||
| Enterprise | T1566 | Phishing |
AppleJeus has used spearphishing emails to distribute malicious payloads.[1] |
|
| Enterprise | T1055 | Process Injection |
During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL uses process injection to inject the C2 communication module code in the first found process instance of Chrome, Firefox, or Edge web browsers. It also monitors the established named pipe and re-injects the C2 communication module if necessary.[2] |
|
| .002 | Portable Executable Injection |
During the 3CX Supply Chain Attack, AppleJeus uses the SigFlip tool to inject arbitrary code without affecting or breaking the file's signature.[10][2] |
||
| Enterprise | T1620 | Reflective Code Loading |
During the 3CX Supply Chain Attack, AppleJeus leverages the publicly available open-source project DAVESHELL to convert PE-COFF files to position-independent code to reflectively load the payload into memory.[2][11] |
|
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Although the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022. During the 3CX Supply Chain Attack, AppleJeus used a code signing certificate to digitally sign the malicious software with an expiration date set to October 2022. This file was signed with the subject "Trading Technologies International, Inc" and contained the executable file Setup.exe, also signed with the same digital certificate.[2][6] |
| Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
During the 3CX Supply Chain Attack, AppleJeus first compromised an "end-of-life" trading software application which was downloaded and executed inside the 3CX enterprise environment. The second compromise modified the Windows and macOS build environments used to distribute the 3CX software to their customer base.[2] |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
During the 3CX Supply Chain Attack, AppleJeus delivered components using a Windows Installer package (.msi). The MSI installer extracted several files and executed the 3CXDesktopApp.exe, which loaded the malicious library file ffmpeg.dll.[7] |
| .015 | System Binary Proxy Execution: Electron Applications |
During the 3CX Supply Chain Attack, AppleJeus leveraged the 3CX application's electron framework to execute its malicious libraries under the official 3CX electron application.[7] |
||
| Enterprise | T1078 | Valid Accounts |
During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials.[6] |
|
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
During the 3CX Supply Chain Attack, AppleJeus leveraged a GitHub repository to host icon files containing the command and control URL.[7][2] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1144 | FRP |
During the 3CX Supply Chain Attack, AppleJeus used a compiled version of the publicly available FRP software to move laterally within the 3CX network. AppleJeus dropped the software in C:\Windows\System32 named MsMpEng.exe.[2]
|
Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: JavaScript, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Network Service Discovery, Non-Application Layer Protocol, Protocol Tunneling, Proxy, Proxy: Multi-hop Proxy, System Network Connections Discovery |
References
- Michael “Barni” Barnhart, DTEX, and Anonymous SMEs. (2025, May 14). Exposing DPRK's Cyber Syndicate and Hidden IT Workforce. Retrieved September 3, 2025.
- Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, Daniel Scott. (2023, April 20). 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible. Retrieved August 25, 2025.
- Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez. (2023, October 10). Assessed Cyber Structure and Alignments of North Korea in 2023. Retrieved August 25, 2025.
- 佐々木勇人 Hayato Sasaki. (2025, March 25). Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup. Retrieved August 25, 2025.
- Unit 42. (2024, September 9). Threat Assessment: North Korean Threat Groups. Retrieved August 25, 2025.
- Agathocles Prodromou. (2023, April 20). Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found. Retrieved August 25, 2025.
- Robert Falcone, Josh Grunzweig. (2023, March 30). Threat Brief: 3CXDesktopApp Supply Chain Attack. Retrieved September 15, 2025.
- Ankur Saini, Callum Roxan, Charlie Gardner, Paul Rascagneres, Steven Adair, Tom Lancaster. (2023, March 30). 3CX Supply Chain Compromise Leads to ICONIC Incident. Retrieved October 21, 2025.
- Trend Micro Research. (2023, March 30). Preventing and Detecting Attacks Involving 3CX Desktop App. Retrieved October 21, 2025.
- Mohamed El Azaar (med0x2e), TimWhite (timwhitez). (2023, August 28). GitHub SigFlip. Retrieved September 30, 2025.
- Nick Landers (monoxgas). (2022, June 18). GitHub monoxgas sRDI (DAVESHELL). Retrieved October 1, 2025.