New “Kandykorn” malware for the Lazarus Group

The North Korean hacker group Lazarus Group, renowned for its multiple attacks against the crypto sector, has recently launched a new offensive using a brand new malicious tool dubbed “Kandykorn”. As Elastic Security’s investigations have revealed, this new tool is designed to intensify the group’s attacks against crypto exchange platforms.

The Kandykorn, advanced malware from the Lazarus group

Tuesday, October 31, Elastic Security Labs a revealed the discovery of a highly sophisticated malware named “Kandykorn” during its investigation into the activities of the Lazarus Group dated April 2023.

In-depth analysis of the network infrastructure and the tactics used has made it possible to attribute this development to the North Korean group. The hackers posed as blockchain engineers, targeting other crypto Exchanges experts within a public Discord server.

The malware Kandykorn deployed by the Lazarus Group is a highly sophisticated tool, designed to monitor, interact and evade detection.

The attackers claimed to have created a lucrative arbitrage bot capable of exploiting price variations between different cryptocurrencies on various exchange platforms.

Malware deployment, Kandykorn!

According to the report, the deployment of Kandykorn takes place in five stages, each designed to maximize efficiency.

  • Stage 0 (Initial Compromise) –
  • Stage 1 (Dropper) – and FinderTools
  • Stage 2 (Payload) – .sld and .log – SUGARLOADER
  • Stage 3 (Loader)- Discord (fake) – HLOADER
  • Stage 4 (Payload) – KANDYKORN

The process begins with the execution of a Python script named ” stored in a file called ””. This script establishes a connection to a remote Google Drive account, allowing content to be uploaded to a file called ” “Once this step is complete, ” “ is quickly deleted to erase all traces.

During execution of “” additional content is downloaded from Google Drive. This additional content is retrieved by another Python file named ” FinderTools” . FinderTools then downloads and runs ” SUGARLOADER”.

SUGARLOADER uses a “binary packer” to hide itself, making it difficult for most anti-malware programs to detect. Elastic Security Labs managed to identify it by interrupting the program’s post-initialization functions and analyzing the virtual memory.
Once established, SUGARLOADER establishes a connection with a remote server, retrieving the payload from the last stage, KANDYKORN. This payload is executed directly in memory. In addition, SUGARLOADER launches a self-signed Swift-based binary, called “HLOADER”, masquerading as the legitimate Discord application. It manages to persist using a technique known as “execution flow hijacking”.

Taking control of the target thanks to Kandykorn

Kandykorn the final payload, presents itself as a powerful Trojan horse with a wide range of malicious capabilities. It can enumerate files, execute other malware, exfiltrate data, terminate processes and execute arbitrary commands. In other words, it can get pretty bad, pretty quickly.

A bit complicated? In short, this threat gives the remote server complete control over the victim’s system, jeopardizing the security of cryptocurrency exchange platforms.

The Lazarus Group’s Kandykorn attacks represent a major threat to exchanges. The group has been responsible for numerous private key hacks this year, stealing nearly $240 million in crypto since June. Victims include Atomic Wallet CoinsPaid, Alphapo, CoinEx and
What measures do you think need to be put in place to counter this kind of attack and ensure that justice is done?