AppleJeus

AppleJeus is a North Korea-aligned threat actor tracked under aliases including Citrine Sleet, UNC4736, Gleaming Pisces, and Labyrinth Chollima. Multiple sources in the content describe it as a DPRK state-affiliated group, and Mandiant is cited as assessing with high confidence that UNC4736 operates with a DPRK nexus and is aligned with the Reconnaissance General Bureau (RGB). The content also notes Microsoft’s North Korea naming family 'Sleet' and references Microsoft reporting on Citrine Sleet exploiting a Chromium zero-day in 2024. The actor is strongly associated with financially motivated operations targeting the cryptocurrency and decentralized finance ecosystem. The content states that AppleJeus/Citrine Sleet has targeted cryptocurrency organizations and developers since at least 2018 or 2022 using trojanized cryptocurrency trading applications, social engineering, and supply-chain style access operations. Reported victimology and incidents in the content include the 3CX software supply-chain compromise, the October 2024 Radiant Capital theft, and the April 2026 Drift Protocol theft. In the Radiant case, Mandiant attributed the attack to UNC4736/AppleJeus/Citrine Sleet and reported use of the INLETDRIFT macOS backdoor delivered through a Telegram impersonation lure to compromise hardware-wallet signers. In the Drift case, multiple reports cited in the content attribute the operation with medium or medium-high confidence to UNC4736/AppleJeus/Citrine Sleet, describing a six-month social-engineering campaign involving fake quantitative trading personas, in-person meetings, Telegram engagement, a possible malicious code repository, and a trojanized TestFlight wallet application to compromise multisig signing workflows. The content also links AppleJeus to developer- and supply-chain-focused tradecraft. During the 3CX supply-chain attack, AppleJeus reportedly used the COLDCAT C2 over HTTPS with data hidden in cookie headers, leveraged a GitHub repository hosting icon files containing the C2 URL, used ICONICSTEALER to collect browser information including browser history, and exploited Chrome vulnerability CVE-2022-0609 via a drive-by compromise website. Separate reporting in the content links Gleaming Pisces/UNC4736 with poisoned PyPI packages delivering PondRAT and new Linux/macOS POOLRAT variants as part of Operation Dream Job-style activity, with Unit 42 assessing the objective as compromising developers and supply-chain vendors. The content further notes overlap with AppleJeus-related infrastructure such as Celas Trade Pro via celasllc[.]com. Overall, the content portrays AppleJeus as a DPRK state-affiliated, cryptocurrency-focused intrusion cluster engaged in social engineering, trojanized trading software, malicious developer tooling and packages, supply-chain compromise, browser data theft, and C2 concealment over common web services and HTTPS.