216.73.217.22

Gleaming Pisces

· Published 16/12/2025 19:39 · Modified 04/05/2026 16:59 · Source: The MITRE Corporation

Essential information

Confidence
100/100
Published
16/12/2025 19:39
Modified
04/05/2026 16:59
Updated at
04/05/2026 16:59
Revoked
No
Author / Source
The MITRE Corporation
Resource level
Primary motivation
Related entities
1 reports, 30 attack patterns (mitre), 6 malware, 5 sectors, 18 indicators, 10 vulnerabilities (cve), 1 campaign

Aliases

UNC1720 UNC4736 Citrine Sleet AppleJeus

Description

[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella.(Citation: dtex DPRK 2025 structure ITworkers) The group’s primary mission is to generate and launder revenue to provide financial support to the government. [AppleJeus](https://attack.mitre.org/groups/G1049) primarily targets the cryptocurrency industry and is most notably responsible for the [3CX Supply Chain Attack](https://attack.mitre.org/campaigns/C0057).(Citation: Mandiant 3cx UNC4736 2023) The group traditionally deploys malicious cryptocurrency software in combination with [Phishing](https://attack.mitre.org/techniques/T1566). From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets.(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (1)

Attack patterns (MITRE) (30)

  • T1105 uses
    Ingress Tool Transfer
  • T1204.002 uses
    Malicious File
  • Financial Theft uses
  • T1014 uses
    Rootkit
  • T1132 uses
    Data Encoding
  • T1195.002 uses
    Compromise Software Supply Chain
  • T1083 uses
    File and Directory Discovery
  • T1553 uses
    Subvert Trust Controls
  • T1059 uses
    Command and Scripting Interpreter
  • T1573 uses
    Encrypted Channel
  • T1543 uses
    Create or Modify System Process
  • T1588.002 uses
    Tool
  • T1106 uses
    Native API
  • T1005 uses
    Data from Local System
  • T1176 uses
    Software Extensions
  • T1027 uses
    Obfuscated Files or Information
  • T1140 uses
    Deobfuscate/Decode Files or Information
  • T1195 uses
    Supply Chain Compromise
  • T1036 uses
    Masquerading
  • T1059.004 uses
    Unix Shell
  • T1102 uses
    Web Service
  • T1496 uses
    Resource Hijacking
  • T1082 uses
    System Information Discovery
  • T1566 uses
    Phishing
  • T1059.006 uses
    Python
  • T1068 uses
    Exploitation for Privilege Escalation
  • T1041 uses
    Exfiltration Over C2 Channel
  • T1071.001 uses
    Web Protocols
  • T1543.001 uses
    Launch Agent
  • T1571 uses
    Non-Standard Port

Malware (6)

  • Kaolin uses
    Family
    Published 02/09/2024 20:46 · Modified 02/09/2024 20:46
  • BADCALL - S0245 uses
    Family
    Published 04/05/2026 06:08 · Modified 04/05/2026 06:08
  • kupayupdate_stage2 uses
    Family
    Published 04/05/2026 06:08 · Modified 04/05/2026 06:08
  • PondRAT uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:46 · Modified 29/05/2026 12:20
  • AppleJeus - S0584 uses
    Family
    Published 04/05/2026 06:08 · Modified 04/05/2026 06:08
  • POOLRAT uses
    Family
    Published 25/05/2026 13:00 · Modified 25/05/2026 13:00

Sectors (5)

  • Entertainment industry targets
  • Technology targets
  • Financial organizations targets
  • Government targets
  • Finance targets

Indicators (18)

Vulnerabilities (CVE) (10)

CVE-2024-21338 KEV
7.8 High

Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys …

Attack vector
Local
Published
04/03/2024
Modified
21/12/2025
CVE-2024-7971 KEV
9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. …

Attack vector
Network
Published
26/08/2024
Modified
21/12/2025
Analyzed
CVE-2024-38193 KEV
7.8 High

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain …

Attack vector
Local
Published
13/08/2024
Modified
21/12/2025
Received
CVE-2024-5274 KEV
9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This …

Attack vector
Network
Published
28/05/2024
Modified
21/12/2025
Awaiting Analysis
CVE-2023-42793 KEV
9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector
Network
Published
04/10/2023
Modified
29/05/2026
CVE-2024-3400 KEV
10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector
Network
Published
12/04/2024
Modified
21/12/2025
CVE-2024-4947 KEV
9.6 Critical

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via …

Attack vector
Network
Published
20/05/2024
Modified
29/05/2026
Received
CVE-2024-38106 KEV
7.0 High

Microsoft Windows Kernel contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. Successful exploitation …

Attack vector
Local
Published
13/08/2024
Modified
21/12/2025
Received
CVE-2024-3094
10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector
NETWORK
Published
29/03/2024
Modified
21/12/2025
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed

Campaign (1)

  • 3CX Supply Chain Attack attributed-to