North Korean hackers mix code from proven malware campaigns to avoid detection

SentinelOne observed a new obfuscation technique, combining the RustBucket dropper module with the KandyKorn RAT payload, used to target blockchain engineers on cryptocurrency exchange platforms. Cyber attackers employed PDF viewer SwiftLoader and Python scripts to deploy malware, taking control of the victim’s Discord application and introducing a persistent backdoor RAT coded in C++, known as “KandyKorn”.