Also known as: MacOS:Agent-ACF [Trj], Gen:Variant.Trojan.MAC.Agent.5, OSX/NukeSped.AE, HEUR:Backdoor.OSX.Agent.ao
Variants: KandyKorn C2
KandyKorn is a remote access trojan (RAT) that targets macOS devices linked to cryptocurrency exchanges and crypto projects. Once deployed on the system, the malware can stealthily steal files and sensitive data as well as execute covert commands on the victim’s machine. Based on the techniques used and underlying signs, KandyKorn is likely the work of the Lazarus Group, a state-sponsored hacker organization from North Korea.
KandyKorn relies on stealth to accomplish its goals — as such, there are few if any obvious signs that something is amiss. KandyKorn operators employ reflective binary loading to confuse and bypass most malware detection programs. To avoid discovery after installation, KandyKorn does not actively poll for commands, instead waiting patiently for instructions from the command server.
Potential indicators of a KandyKorn infection include:
Your device frequently freezes or stutters.
Your device’s fan seems to be constantly on, even when the device is idle.
Other malware appears on your device without a known cause.
Your device sends data to unknown remote servers (KandyKorn is uploading device information to its handlers).
Sources of infection
To date, all known KandyKorn infections were accomplished using social engineering techniques on social media. In a late 2023 case, hackers posed as members of the cryptocurrency community on Discord to offer a fake arbitrage bot to blockchain engineers. Once run, the program kicked off a complex process that eventually deployed the “SugarLoader” loader on the system and culminated in the installation of KandyKorn.
It is also possible for your device to get infected with KandyKorn from:
ZIP archives that are disguised attached to phishing emails.
Infected software “cracks” (programs designed to bypass legitimate copy protection measures).
Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
Peer-to-peer (P2P) sharing of infected files.
Infected external devices, such as hard drives or USB sticks.
The most effective protection against KandyKorn is common sense — and good cybersecurity practices. Do not download files from strangers on social media, no matter how sincere they seem. If you do decide to risk it, run the files into a secure isolated environment (accomplished using virtual machines) to prevent any possible infection from compromising the main system.
You can also take these other protective measures:
Always check the legitimacy of the site before downloading any files. While KandyKorn operators often share infected files directly, they could host them on fake websites to appear legitimate. Look for any sign of fraud (including the lack of HTTPS or web certificates).
Avoid potentially dangerous websites, like dark web pages or torrent repositories. These websites may attempt to install malware (including droppers for KandyKorn) on your device as soon as you open them.
Do not open suspicious email attachments. Look for telltale signs of phishing (such as poor spelling and grammar) and double-check the person and organization sending the email.
Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by-download attacks.
In almost all cases, KandyKorn should only be removed using dedicated and up-to-date macOS antivirus software. Without advanced IT skills and knowledge, manual removal may leave traces of the original KandyKorn installation chain present in the system, allowing it to spring up again at a later date.