Skip to content

G1049 AppleJeus

AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader Lazarus Group umbrella of actors, AppleJeus has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella.2 The group’s primary mission is to generate and launder revenue to provide financial support to the government. AppleJeus primarily targets the cryptocurrency industry and is most notably responsible for the 3CX Supply Chain Attack.1 The group traditionally deploys malicious cryptocurrency software in combination with Phishing. From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets.35

Item Value
ID G1049
Associated Names Gleaming Pisces, Citrine Sleet, UNC1720, UNC4736
Version 1.0
Created 25 August 2025
Last Modified 23 October 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Gleaming Pisces 4
Citrine Sleet 4
UNC1720 53
UNC4736 21

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols During the 3CX Supply Chain Attack, AppleJeus’s COLDCAT C2 leverages cookie headers to contain data over HTTPS. Cookies also contain hardcoded variables __tutma or __tutmc in the payload’s HTTPS request.18
enterprise T1217 Browser Information Discovery During the 3CX Supply Chain Attack, AppleJeus leveraged ICONICSTEALER to steal browser information to include browser history located on the infected host.6110
enterprise T1543 Create or Modify System Process -
enterprise T1543.004 Launch Daemon During the 3CX Supply Chain Attack, AppleJeus installs a Launch Daemon to execute the POOLRAT macOS backdoor software.1
enterprise T1678 Delay Execution During the 3CX Supply Chain Attack, AppleJeus’s software generates a randomly selected date that is between 1-4 weeks in the future. This timestamp is then checked against the current time of the compromised machine, and the malware will sleep until that time is encountered.8
enterprise T1189 Drive-by Compromise During the 3CX Supply Chain Attack, AppleJeus compromised the www.tradingtechnologies[.]com website hosting a hidden IFRAME to exploit visitors, two months before the site was known to deliver a compromised version of the X_TRADER software package.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography During the 3CX Supply Chain Attack, AppleJeus’s VEILEDSIGNAL communication module supports three commands to conduct the following actions: send implant data, execute shellcode, and terminate itself.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.016 Installer Packages During the 3CX Supply Chain Attack, AppleJeus added a malicious .dylib file to a .dmg installer package for the macOS 3CX application.8
enterprise T1203 Exploitation for Client Execution During the 3CX Supply Chain Attack, AppleJeus leveraged the Chrome vulnerability, CVE-2022-0609, in combination with a Drive-by Compromise website.1
enterprise T1657 Financial Theft AppleJeus has targeted the cryptocurrency industry with the goal of stealing digital assets.3
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL During the 3CX Supply Chain Attack, AppleJeus splits functionally across multiple .dll files using export functions, such as DLLGetClassObject, to execute code from an embedded .dll file within another .dll file. AppleJeus has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence.81
enterprise T1559 Inter-Process Communication During the 3CX Supply Chain Attack, AppleJeus’s VEILEDSIGNAL creates and listens on a Windows named pipe to exchange messages between modules.1
enterprise T1027 Obfuscated Files or Information During the 3CX Supply Chain Attack, AppleJeus payloads use AES-256 GCM cipher to encrypt data to include ICONICSTEALER and VEILEDSIGNAL.61
enterprise T1027.009 Embedded Payloads During the 3CX Supply Chain Attack, AppleJeus uses embedded .dll as apart of a chained delivery mechanism to invoke the COM class factory.8
enterprise T1027.013 Encrypted/Encoded File During the 3CX Supply Chain Attack, AppleJeus encrypts its dynamic library files (.dll) using RC4, and when loaded only decrypts specific portions of the file using the key 3jB(2bsG#@c7.8
enterprise T1566 Phishing AppleJeus has used spearphishing emails to distribute malicious payloads.2
enterprise T1055 Process Injection During the 3CX Supply Chain Attack, AppleJeus’s VEILEDSIGNAL uses process injection to inject the C2 communication module code in the first found process instance of Chrome, Firefox, or Edge web browsers. It also monitors the established named pipe and re-injects the C2 communication module if necessary.1
enterprise T1055.002 Portable Executable Injection During the 3CX Supply Chain Attack, AppleJeus uses the SigFlip tool to inject arbitrary code without affecting or breaking the file’s signature.111
enterprise T1620 Reflective Code Loading During the 3CX Supply Chain Attack, AppleJeus leverages the publicly available open-source project DAVESHELL to convert PE-COFF files to position-independent code to reflectively load the payload into memory.19
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Although the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022. During the 3CX Supply Chain Attack, AppleJeus used a code signing certificate to digitally sign the malicious software with an expiration date set to October 2022. This file was signed with the subject “Trading Technologies International, Inc” and contained the executable file Setup.exe, also signed with the same digital certificate.17
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain During the 3CX Supply Chain Attack, AppleJeus first compromised an “end-of-life” trading software application which was downloaded and executed inside the 3CX enterprise environment. The second compromise modified the Windows and macOS build environments used to distribute the 3CX software to their customer base.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec During the 3CX Supply Chain Attack, AppleJeus delivered components using a Windows Installer package (.msi). The MSI installer extracted several files and executed the 3CXDesktopApp.exe, which loaded the malicious library file ffmpeg.dll.8
enterprise T1218.015 Electron Applications During the 3CX Supply Chain Attack, AppleJeus leveraged the 3CX application’s electron framework to execute its malicious libraries under the official 3CX electron application.8
enterprise T1078 Valid Accounts During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials.7
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver During the 3CX Supply Chain Attack, AppleJeus leveraged a GitHub repository to host icon files containing the command and control URL.81

Software

ID Name References Techniques
S1144 FRP During the 3CX Supply Chain Attack, AppleJeus used a compiled version of the publicly available FRP software to move laterally within the 3CX network. AppleJeus dropped the software in C:\Windows\System32 named MsMpEng.exe.1 Web Protocols:Application Layer Protocol JavaScript:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Network Service Discovery Non-Application Layer Protocol Protocol Tunneling Proxy Multi-hop Proxy:Proxy System Network Connections Discovery

References

  1. Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, Daniel Scott. (2023, April 20). 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible. Retrieved August 25, 2025. 

  2. Michael “Barni” Barnhart, DTEX, and Anonymous SMEs. (2025, May 14). Exposing DPRK’s Cyber Syndicate and Hidden IT Workforce. Retrieved September 3, 2025. 

  3. Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez. (2023, October 10). Assessed Cyber Structure and Alignments of North Korea in 2023. Retrieved August 25, 2025. 

  4. Unit 42. (2024, September 9). Threat Assessment: North Korean Threat Groups. Retrieved August 25, 2025. 

  5. 佐々木勇人 Hayato Sasaki. (2025, March 25). Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup. Retrieved August 25, 2025. 

  6. Ankur Saini, Callum Roxan, Charlie Gardner, Paul Rascagneres, Steven Adair, Tom Lancaster. (2023, March 30). 3CX Supply Chain Compromise Leads to ICONIC Incident. Retrieved October 21, 2025. 

  7. Agathocles Prodromou. (2023, April 20). Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found. Retrieved August 25, 2025. 

  8. Robert Falcone, Josh Grunzweig. (2023, March 30). Threat Brief: 3CXDesktopApp Supply Chain Attack. Retrieved September 15, 2025. 

  9. Nick Landers (monoxgas). (2022, June 18). GitHub monoxgas sRDI (DAVESHELL). Retrieved October 1, 2025. 

  10. Trend Micro Research. (2023, March 30). Preventing and Detecting Attacks Involving 3CX Desktop App. Retrieved October 21, 2025. 

  11. Mohamed El Azaar (med0x2e), TimWhite (timwhitez). (2023, August 28). GitHub SigFlip. Retrieved September 30, 2025. 

  12. Brian Krebs. (2023, April 20). 3CX Breach Was a Double Supply Chain Compromise. Retrieved May 22, 2025. 

  13. Georgy Kucherin, Vasily Berdnikov, Vilen Kamalov. (2023, April 3). Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack. Retrieved August 25, 2025.