A recent report from cybersecurity firm Kaspersky reveals that North Korean hackers, specifically the Kimsuky group, have been using a new and notable malware variant named “Durian” to carry out attacks on South Korean cryptocurrency companies. The attacks, described as persistent, exploited legitimate security software that is exclusively used by crypto firms in South Korea.

The Durian malware, previously unknown to the cybersecurity community, functions as an installer that deploys a series of malware, including a backdoor called “AppleSeed,” a custom proxy tool called LazyLoad, and other legitimate tools like Chrome Remote Desktop. Kaspersky notes that Durian possesses comprehensive backdoor functionality, allowing the execution of delivered commands, downloading additional files, and exfiltrating data.

Interestingly, Kaspersky also discovered that LazyLoad, the proxy tool used by Durian, was previously associated with Andariel, a sub-group within the North Korean hacking consortium Lazarus Group. This suggests a potential connection between Kimsuky and the more infamous Lazarus Group.

In 2023 alone, Lazarus was responsible for pilfering over $309 million, which accounted for approximately 17% of the total stolen funds that year. According to a report by Immunefi, a cybersecurity company, more than $1.8 billion worth of cryptocurrencies fell victim to hacks and exploits throughout 2023.