{"id":54431,"date":"2023-11-03T18:55:00","date_gmt":"2023-11-03T18:55:00","guid":{"rendered":"https:\/\/www.darkreading.com\/endpoint\/kandykorn-macos-malware-lures-crypto-engineers"},"modified":"2023-11-03T18:55:00","modified_gmt":"2023-11-03T18:55:00","slug":"kandykorn-macos-malware-lures-crypto-engineers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/","title":{"rendered":"&#8216;KandyKorn&#8217; macOS Malware Lures Crypto Engineers"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt0ce50d239f4d586c\/65453ced6b6967040a39c96d\/candy_corn-Brent_Hofacker-Alamy.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>The infamous North Korean advanced persistent threat (APT) group <a href=\"https:\/\/www.darkreading.com\/cloud\/lazarus-group-striking-vulnerable-windows-iis-web-servers\" target=\"_blank\" rel=\"noopener\">Lazarus<\/a> has developed a form of macOS malware called &#8220;KandyKorn,&#8221; which it is using to target blockchain engineers connected to cryptocurrency exchanges.<\/p>\n<p>According to a <a href=\"https:\/\/www.elastic.co\/security-labs\/elastic-catches-dprk-passing-out-kandykorn\" target=\"_blank\" rel=\"noopener\">report from Elastic Security Labs<\/a>, KandyKorn has a full-featured set of capabilities to detect, access, and steal any data from the victim&#8217;s computer, including cryptocurrency services and applications.<\/p>\n<p>To deliver it, Lazarus took a multistage approach involving a Python application masquerading as a cryptocurrency arbitrage bot (a software tool capable of profiting from the difference in cryptocurrency rates between cryptocurrency exchange platforms). The app featured misleading names, including &#8220;config.py&#8221; and &#8220;pricetable.py,&#8221; and was distributed through a public Discord server.<\/p>\n<p>The group then employed social engineering techniques to encourage its victims to download and unzip a zip archive into their development environments, purportedly containing the bot. In actuality, the file contained a prebuilt Python application with malicious code.<\/p>\n<p>Victims of the attack believed they had installed an arbitrage bot, but launching the Python application initiated the execution of a multistep malware flow culminating in the deployment of the KandyKorn malicious tool, Elastic Security experts said.<\/p>\n<h2 class=\"regular-text\">KandyKorn Malware&#8217;s Infection Routine<\/h2>\n<p>The attack begins with the execution of Main.py, which imports Watcher.py. This script checks the Python version, sets up local directories, and retrieves two scripts directly from Google Drive: TestSpeed.py and FinderTools.<\/p>\n<p>These scripts are used to download and execute an obfuscated binary called Sugarloader, responsible for giving initial access to the machine and preparing the final stages of the malware, which also involve a tool called Hloader.<\/p>\n<p>The threat team was able to trace the entire malware deployment path, drawing the conclusion that KandyKorn is the final stage of the execution chain.<\/p>\n<p>KandyKorn processes then establish communication with the hackers&#8217; server, allowing it to branch out and run in the background.<\/p>\n<p>The malware does not poll the device and installed applications but waits for direct commands from the hackers, according to the analysis, which reduces the number of endpoints and network artifacts created, thus limiting the possibility of detection.<\/p>\n<p>The threat group also used reflective binary loading as an obfuscation technique, which helps the malware bypass most detection programs.<\/p>\n<p>&#8220;Adversaries commonly use obfuscation techniques such as this to bypass traditional static signature-based antimalware capabilities,&#8221; the report noted.<\/p>\n<h2 class=\"regular-text\">Cryptocurrency Exchanges Under Fire<\/h2>\n<p>Cryptocurrency exchanges have suffered a series of <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/private-key-leaks-attackers-empty-crypto-investors-wallets\" target=\"_blank\" rel=\"noopener\">private key theft attacks in 2023<\/a>, most of which have been attributed to the Lazarus group, which uses its ill-gotten gains to fund the North Korean regime. The FBI recently found the group had <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/fbi-warns-of-cryptocurrency-heists-by-north-koreas-lazarus-group\" target=\"_blank\" rel=\"noopener\">moved 1,580 bitcoins<\/a> from multiple cryptocurrency heists, holding the funds in six different bitcoin addresses.<\/p>\n<p>In September, attackers were discovered <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/weaponized-windows-installers-target-graphic-designers-in-crypto-heist\" target=\"_blank\" rel=\"noopener\">targeting 3D modelers and graphic designers<\/a> with malicious versions of a legitimate Windows installer tool in a cryptocurrency-thieving campaign that&#8217;s been ongoing since at least November 2021.<\/p>\n<p>A month prior, researchers uncovered two related malware campaigns, dubbed <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/cherrybios-malware-ocr-android-users-cryptocurrency\" target=\"_blank\" rel=\"noopener\">CherryBlos and FakeTrade,<\/a> which targeted Android users for cryptocurrency theft and other financially motivated scams.<\/p>\n<h2 class=\"regular-text\">Growing Threat From DPKR<\/h2>\n<p>An unprecedented collaboration by various APTs within the Democratic People&#8217;s Republic of Korea (DPRK) makes them harder to track, setting the stage for aggressive, complex cyberattacks that demand strategic response efforts, a recent report from <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/north-korea-state-sponsored-apt-organize-align\" target=\"_blank\" rel=\"noopener\">Mandiant warned<\/a>.<\/p>\n<p>For instance, the country&#8217;s leader, Kim Jong Un, has a Swiss Army knife APT named Kimsuky, which continues to spread its tendrils around the world, indicating it&#8217;s not intimidated by the <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/north-korea-kimsuky-apt-keeps-growing-despite-public-outing\" target=\"_blank\" rel=\"noopener\">researchers closing in<\/a>. Kimsuky has gone through many iterations and evolutions, including&nbsp;<a href=\"https:\/\/www.darkreading.com\/operations\/how-north-korean-apt-kimsuky-is-evolving-its-tactics\" target=\"_blank\" rel=\"noopener\">an outright split into two subgroups<\/a>.<\/p>\n<p>Meanwhile, the Lazarus group appears to have added a <a href=\"https:\/\/www.darkreading.com\/cloud\/north-korea-meta-complex-backdoor-aerospace\" target=\"_blank\" rel=\"noopener\">complex and still evolving new backdoor<\/a> to its malware arsenal, first spotted in a successful cyber compromise of a Spanish aerospace company.<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/endpoint\/kandykorn-macos-malware-lures-crypto-engineers\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Posing as fellow engineers, the North Korean state-sponsored cybercrime group Lazarus tricked crypto-exchange developers into downloading the hard-to-detect malware.Read More <a href=\"https:\/\/www.darkreading.com\/endpoint\/kandykorn-macos-malware-lures-crypto-engineers\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-54431","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>&#039;KandyKorn&#039; macOS Malware Lures Crypto Engineers 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"&#039;KandyKorn&#039; macOS Malware Lures Crypto Engineers 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-03T18:55:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt0ce50d239f4d586c\/65453ced6b6967040a39c96d\/candy_corn-Brent_Hofacker-Alamy.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"&#8216;KandyKorn&#8217; macOS Malware Lures Crypto Engineers\",\"datePublished\":\"2023-11-03T18:55:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/\"},\"wordCount\":636,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt0ce50d239f4d586c\\\/65453ced6b6967040a39c96d\\\/candy_corn-Brent_Hofacker-Alamy.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/\",\"name\":\"'KandyKorn' macOS Malware Lures Crypto Engineers 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt0ce50d239f4d586c\\\/65453ced6b6967040a39c96d\\\/candy_corn-Brent_Hofacker-Alamy.jpg\",\"datePublished\":\"2023-11-03T18:55:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt0ce50d239f4d586c\\\/65453ced6b6967040a39c96d\\\/candy_corn-Brent_Hofacker-Alamy.jpg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt0ce50d239f4d586c\\\/65453ced6b6967040a39c96d\\\/candy_corn-Brent_Hofacker-Alamy.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/kandykorn-macos-malware-lures-crypto-engineers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"&#8216;KandyKorn&#8217; macOS Malware Lures Crypto Engineers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"'KandyKorn' macOS Malware Lures Crypto Engineers 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/","og_locale":"en_US","og_type":"article","og_title":"'KandyKorn' macOS Malware Lures Crypto Engineers 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-11-03T18:55:00+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt0ce50d239f4d586c\/65453ced6b6967040a39c96d\/candy_corn-Brent_Hofacker-Alamy.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"&#8216;KandyKorn&#8217; macOS Malware Lures Crypto Engineers","datePublished":"2023-11-03T18:55:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/"},"wordCount":636,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt0ce50d239f4d586c\/65453ced6b6967040a39c96d\/candy_corn-Brent_Hofacker-Alamy.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/","url":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/","name":"'KandyKorn' macOS Malware Lures Crypto Engineers 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt0ce50d239f4d586c\/65453ced6b6967040a39c96d\/candy_corn-Brent_Hofacker-Alamy.jpg","datePublished":"2023-11-03T18:55:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt0ce50d239f4d586c\/65453ced6b6967040a39c96d\/candy_corn-Brent_Hofacker-Alamy.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt0ce50d239f4d586c\/65453ced6b6967040a39c96d\/candy_corn-Brent_Hofacker-Alamy.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/kandykorn-macos-malware-lures-crypto-engineers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"&#8216;KandyKorn&#8217; macOS Malware Lures Crypto Engineers"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54431","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=54431"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54431\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=54431"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=54431"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=54431"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}