UNC4736, also known as Citrine Sleet, is a sophisticated, allegedly state-sponsored advanced persistent threat (APT) group attributed to North Korea. The group is primarily financially motivated, specializing in large-scale cybercrime and espionage operations targeting the cryptocurrency, decentralized finance (DeFi), and financial technology (fintech) sectors. UNC4736 is known for executing complex, multi-stage campaigns that include software supply chain compromises, the exploitation of zero-day vulnerabilities, and elaborate social engineering schemes to generate revenue for the North Korean regime. Its activities are closely associated with the long-running cryptocurrency-focused campaign "Operation AppleJeus" (MITRE ATT&CK ID: G1049). ^{[1] [2] [7]}​

Overview

UNC4736 is tracked under several names by various cybersecurity organizations. Mandiant uses the designation UNC4736, where "UNC" signifies an "uncategorized" threat group at the time of discovery. Microsoft tracks the actor as Citrine Sleet. Other aliases include Labyrinth Chollima, Gleaming Pisces, Hidden Cobra, and UNC1720. The group's activities are also widely associated with the "AppleJeus" campaign (group G1049), a term that refers to both the malware family they deploy and the threat cluster itself. ^{[3] [1] [7] [8]}​

The group is attributed to North Korea’s Reconnaissance General Bureau (RGB), specifically Bureau 121. It is considered a sub-cluster of the notorious Lazarus Group and shows significant tactical overlap with another North Korean actor, APT43 (also known as "Kimusky"). ^{[4] [2] [8]} The primary objective of UNC4736 is to acquire foreign currency by stealing cryptocurrency assets to help the Democratic People's Republic of Korea (DPRK) circumvent international sanctions and fund its state activities, including its weapons programs. Targets typically include cryptocurrency exchanges, DeFi protocols, venture capital firms, blockchain-based gaming companies, and high-value individuals such as software developers and executives within the industry. ^{[5] [9]}​

History and Major Incidents

UNC4736 has been linked to some of the most significant and complex cyberattacks against the digital asset industry, demonstrating a continuous evolution in its tactics and technical capabilities.

Operation AppleJeus (2018–Ongoing)

The "Operation AppleJeus" campaign (G1049), first identified around 2018, marked a concerted effort by North Korean actors to target the cryptocurrency industry. The initial campaigns involved developing and distributing trojanized but functional cryptocurrency trading applications, such as CelasTradePro and UnionCryptoTrader. These applications were designed to lure investors and employees at crypto firms, initially focusing on macOS users before expanding to Windows. The applications contained backdoors that allowed the actor to conduct surveillance and steal funds. ^{[1] [2] [7]}​

3CX Supply Chain Compromise (2022–2023)

In one of the most notable supply chain attacks of 2023, UNC4736 was identified as the group behind the compromise of the popular VoIP software company 3CX. This was a sophisticated, two-stage supply chain attack. The operation began when a 3CX employee downloaded a trojanized version of the X_TRADER software package from the legitimate but compromised website of Trading Technologies. This provided the actors with initial access to the 3CX corporate network, which was later escalated using legitimate VPN credentials. ^{[3] [1] [7]}​

From there, the group compromised the 3CX build environment for both Windows and macOS. They embedded malware into legitimate software updates for the 3CX desktop application, which were then distributed to thousands of 3CX customers worldwide. While the initial malicious update was widespread, the threat actor selectively deployed secondary payloads, such as the Gopuram backdoor and VEILEDSIGNAL malware, to a small number of high-value targets, particularly those in the cryptocurrency and defense sectors. This selective targeting demonstrated a clear focus on espionage and high-value financial theft, using tools like ICONICSTEALER to exfiltrate browser data from victims. ^{[3] [7]}​

Chromium Zero-Day Campaign (August 2024)

In August 2024, Microsoft’s Threat Intelligence team reported that Citrine Sleet was actively exploiting a then-undisclosed zero-day vulnerability in the open-source Chromium web browser engine. The campaign involved a sophisticated attack chain that began with social engineering lures, such as fraudulent job offers, directed at blockchain developers. ^{[1] [4]}​

Targets were directed to an exploit domain, voyagorclub[.]space, which leveraged a type confusion vulnerability in Chromium's V8 JavaScript engine (CVE-2024-7971) to achieve remote code execution. This was immediately followed by the exploitation of a Windows kernel vulnerability (CVE-2024-38106) to escape the browser sandbox and gain system-level access. The final payload was an updated version of the FudModule rootkit, loaded directly into memory to establish stealthy persistence and disrupt security tools like Microsoft Defender, Crowdstrike Falcon, and HitmanPro. This was followed by the deployment of the AppleJeus trojan to steal credentials and cryptocurrency assets. This campaign highlighted the group's top-tier capability to acquire and operationalize high-value zero-day exploits. ^{[4] [8]}​

Radiant Capital Heist (September–October 2024)

In late 2024, UNC4736 successfully attacked Radiant Capital, a decentralized finance lending platform, resulting in the theft of approximately $50 million in cryptocurrency. The infiltration began in September 2024 with a social engineering attack where the actor impersonated a former contractor on Telegram to build trust with a Radiant developer. The developer was eventually tricked into downloading a malicious ZIP archive. ^{[6] [9]}​

The malicious archive contained the macOS malware variant InletDrift, which installed a backdoor on the developer's machine. After gaining an initial foothold, the group moved laterally, compromising multiple developer devices to escalate privileges. Ultimately, they compromised the platform's multi-signature (multi-sig) process to authorize fraudulent transactions and drain funds from Radiant's markets on Arbitrum and Binance Smart Chain in October 2024. The group was noted to use third-party intermediaries with meticulously crafted identities designed to pass due diligence checks. The attack's success, despite Radiant's use of standard security simulations, underscored the deceptive and evasive nature of the group's TTPs. ^{[6] [9]}​

Drift Protocol Exploit (Fall 2025–April 2026)

On April 1, 2026, the decentralized exchange Drift Protocol announced that a catastrophic exploit resulting in the loss of approximately 1 million to establish legitimacy. The core of the attack was not a smart contract flaw, but the social engineering of multisig signers. One contributor was compromised after cloning a malicious code repository, while another was manipulated into downloading a malicious TestFlight application. ^{[12] [11] [10]}​

To execute the exploit, using the compromised access to the multisig signers, the attackers manufactured a fictitious token (CarbonVote Token, or CVT), and deployed pre-signed transactions to list it as legitimate collateral. They used wash trading to create an artificial price history, tricking Drift's oracles into valuing the worthless token as hundreds of millions of dollars. On April 1, this manipulation allowed them to drain the protocol of approximately $285 million in real assets, such as USDC and JLP. On-chain analysis connected initial funding for the attack to a withdrawal from the sanctioned mixer Tornado Cash and showed stolen funds were rapidly bridged from Solana to Ethereum post-heist. ^{[11] [5] [12]}​

Tactics, Techniques, and Procedures (TTPs)

UNC4736 employs a diverse and sophisticated set of TTPs, blending advanced social engineering with high-level technical expertise.

Social Engineering and Reconnaissance

The group's operations are often preceded by meticulous reconnaissance and long-term social engineering campaigns.

• Long-Con Operations: They engage targets for months to build trust and bypass suspicion, as seen in the six-month operation against Drift Protocol. This includes posing as legitimate entities like trading firms, VCs, or headhunters. ^[5]
• Use of Intermediaries: The group employs non-North Korean nationals with fabricated identities to act as a public face, enabling them to attend in-person meetings at international conferences and pass due diligence checks. These personas are supported by complete, fabricated employment histories and professional networks. ^{[5] [9] [10]}
• Impersonation and Spearphishing: They impersonate known colleagues or professionals on platforms like LinkedIn and Telegram to deliver spearphishing attacks, often luring victims with fraudulent job offers or technical discussions. ^[6]

Initial Access

UNC4736 uses a variety of methods to gain initial entry into target networks.

• Software Supply Chain Compromise: A hallmark tactic, exemplified by the nested compromise of X_TRADER and then 3CX. ^[3]
• Zero-Day Exploitation: The group has demonstrated the ability to use previously unknown vulnerabilities, such as the Chromium zero-day (CVE-2024-7971), to achieve initial access. ^[4]
• Trojanized Applications: Distributing malicious code through legitimate-seeming software, such as trojanized crypto trading apps or malicious packages on npm. ^{[1] [7]}
• Exploitation of Public-Facing Applications: They leverage vulnerabilities in widely used developer tools like VSCode and Cursor to achieve arbitrary code execution. ^{[12] [5]}

Execution, Persistence, and Defense Evasion

Once inside a network, the group uses advanced techniques to maintain access and avoid detection.

• Code Signing: Malicious files are often signed with legitimate, sometimes stolen or expiring, digital certificates to appear trustworthy. ^[3]
• Process Injection and Reflective Loading: The group injects C2 modules into the memory of legitimate browser processes and uses open-source tools like DAVESHELL to load payloads directly into memory, bypassing disk-based detection. The tool SigFlip has also been used to inject code into signed files without invalidating the signature. ^[3]
• Payload Obfuscation and Delayed Execution: Payloads are frequently encrypted using methods like AES-256 GCM or RC4. Malware is often configured to remain dormant for a random period (1 to 4 weeks) to evade sandboxing and behavioral analysis. ^{[3] [7]}
• Persistence Mechanisms: The group uses macOS Launch Daemons to persist the POOLRAT backdoor and DLL search order hijacking to load the TAXHAUL backdoor via the IKEEXT service on Windows. ^[3]
• C2 Communication: The group has used GitHub repositories to host dead drop resolvers, with C2 communication occurring over HTTPS and using cookie headers for data exfiltration. ^[7]

On-Chain Attack Techniques

UNC4736 has demonstrated proficiency in blockchain-specific attack vectors. These include oracle manipulation, where the group creates a fictitious token, generates an artificial price history through wash trading, and has the protocol's oracles register a false, high value for the worthless asset, which is then used as collateral. This was a key component of the Drift Protocol exploit. The group is also known for leveraging features like the Durable Nonce Attack, where a transaction signed by a victim under a plausible pretext does not expire, allowing an attacker to execute it at a much later, more opportune time. ^{[5] [11] [12]}

On-chain Money Laundering

UNC4736 employs aggressive and rapid on-chain money laundering techniques to obscure the origin of stolen funds. This includes using sanctioned cryptocurrency mixers like Tornado Cash, not only for laundering post-heist but also for sourcing initial funding for an operation, thus obscuring the attack's origins. After an exploit, the group moves quickly to bridge stolen assets across different blockchains (e.g., from Solana to Ethereum) in large, individual transactions. They utilize methods such as peel chains, where funds are moved through a complex series of transactions to multiple new wallets to break the on-chain trail and complicate tracing efforts. ^[11]

Malware and Tools

UNC4736 utilizes a mix of custom, shared, and open-source tools in its operations.

Tool Name	Type	Description
AppleJeus (G1049)	Malware Family	Overarching name for malware used in the campaign, often delivered via trojanized crypto apps. Deployed as a final payload to steal crypto assets. [7]
Gopuram	Backdoor	A sophisticated second-stage backdoor deployed on high-value targets for persistence and data theft. [3]
POOLRAT	Backdoor	A backdoor designed specifically for macOS systems, used for persistence. [1] [7]
TAXHAUL	Backdoor	A backdoor used for data exfiltration, notably deployed in the 3CX compromise. [1]
FudModule Rootkit	Rootkit	A sophisticated data-only Windows rootkit operating at the kernel level to achieve persistence and evade security software. An updated version can disrupt protected processes of security tools such as Microsoft Defender, Crowdstrike Falcon, and HitmanPro. [4] [8]
ICONICSTEALER	Information Stealer	A tool deployed during the 3CX incident to exfiltrate browser history, cookies, and credentials from infected systems. [3] [7]
InletDrift	macOS Malware	A custom malware variant used in the Radiant Capital heist to create a backdoor on a developer's system. [6]
VEILEDSIGNAL	Malware Module	A malware family used by the group for communication and execution, using process injection and Windows named pipes. Key payload in the 3CX compromise. [1] [7]
Kaolin RAT	Remote Access Trojan	A RAT that serves as a loader for other payloads, including the FudModule rootkit. [4]
RustBucket	Malware Toolchain	A multi-stage malware framework written in Rust, indicating a modernization of the group's toolset. [2]
SigFlip	Post-Exploitation Tool	A tool used to inject code into digitally signed executables without breaking the signature. [3]

Relationships and Overlaps

UNC4736/Citrine Sleet, also tracked by MITRE as AppleJeus (G1049) and known by other aliases like Labyrinth Chollima and Gleaming Pisces, operates within a complex ecosystem of North Korean state-sponsored threat actors. The group is widely considered a subgroup or activity cluster operating under the umbrella of the Lazarus Group and is also associated with TEMP.hermit. Its toolset and infrastructure show overlaps with other North Korean actors, most notably Diamond Sleet, with which it shares the FudModule rootkit. In at least one instance, a target of Citrine Sleet had also been previously targeted by another group, Sapphire Sleet, suggesting overlapping targeting priorities or coordination among different DPRK hacking units. ^{[4] [6] [7] [8]}