North Korea's infamous Kimsuky hacking group, also known as APT43, has reportedly launched cyberattacks on two South Korean cryptocurrency firms, employing a newly discovered Golang-based malware dubbed "Durian."

According to cybersecurity solutions leader Kaspersky, Durian boasts "comprehensive backdoor functionality," enabling it to execute commands, download additional files, and exfiltrate data.

The attacks occurred between August and November 2023, exploiting a South Korean software vulnerability for initial access.

"Based on our telemetry, we pinpointed two victims within the South Korean cryptocurrency sector. The first compromise occurred in August 2023, followed by a second in November 2023," Kaspersky reported.

Once implanted, Durian deploys other tools, including Kimsuky's backdoor AppleSeed and a custom proxy tool called LazyLoad, which links to Andariel, a sub-group within the notorious Lazarus. This connection suggests shared tactics among North Korean threat groups.

Kimsuky, operating since at least 2012, falls under North Korea's Reconnaissance General Bureau (RGB), the country's military intelligence agency.

Known for its phishing campaigns, Kimsuky impersonated South Korean government officials and journalists in December 2023, targeting crypto theft. Police reports indicate 1,468 victims, including retired government officials from diplomacy, military, and national security.

Previously, the group targeted Russian aerospace defense companies amid the COVID-19 pandemic. RT-Inform, the IT security arm of the Russian state-owned tech agency Rostec, observed a surge in cyberattacks during the pandemic from April to September 2020, including possible Kimsuky involvement.

As Kimsuky continues its cyber operations, vigilance and enhanced cybersecurity measures become imperative, especially for sectors vulnerable to state-sponsored attacks like cryptocurrency firms.