Citrine Sleet / AppleJeus

2018-06-01

AppleJeus malware samples dated June–August 2018 deployed against a cryptocurrency exchange in Asia via trojanized 'Celas Trade Pro' application from fake company 'Celas LLC.' First documented macOS malware deployment by Lazarus Group.

2018-08-23

Kaspersky Lab publicly discloses Operation AppleJeus, attributing trojanized cryptocurrency trading software to the Lazarus Group.

2019-09-13

OFAC formally sanctions the Lazarus Group as an agency or instrumentality of the Government of the DPRK.

2021-02-17

CISA, FBI, and the Department of the Treasury issue joint advisory AA21-048A documenting seven AppleJeus malware variants and associated fake cryptocurrency trading companies targeting organizations in over 30 countries.

2022-02-01

Trading Technologies website compromised via hidden IFRAME exploit (CVE-2022-0609); X_TRADER software trojanized with VEILEDSIGNAL backdoor, initiating the 3CX supply chain attack chain.

2022-12-01

Volexity documents additional AppleJeus variants including 'BloxHolder' fake trading platform distributing updated malware.

2023-03-01

3CX DesktopApp supply chain compromise discovered; malicious versions 18.12.416 and earlier found to deliver SUDDENICON and ICONICSTEALER to enterprise users globally.

2023-04-20

Mandiant publishes full 3CX supply chain compromise analysis, attributing the cascading attack to UNC4736 with high confidence of North Korean nexus.

2024-02-01

Malicious Python packages (real-ids, coloredtxt, beautifultext, minisound) containing PondRAT backdoor uploaded to PyPI, attributed to Gleaming Pisces (Citrine Sleet) by Palo Alto Networks Unit 42.

2024-08-13

Microsoft patches CVE-2024-38106 (Windows kernel vulnerability) as part of August Patch Tuesday.

2024-08-19

Microsoft identifies Citrine Sleet actively exploiting Chromium zero-day CVE-2024-7971 (V8 type confusion, CVSS 8.8) to deliver FudModule rootkit via exploit domain voyagorclub[.]space.

2024-08-21

Google releases Chrome patch for CVE-2024-7971.

2024-08-30

Microsoft publicly publishes Citrine Sleet CVE-2024-7971 / FudModule rootkit analysis.

2024-09-11

UNC4736 operatives send malicious ZIP file via Telegram to Radiant Capital developers, impersonating a former contractor and delivering INLETDRIFT macOS backdoor inside a PDF.

2024-09-01

Palo Alto Networks Unit 42 publishes Gleaming Pisces / PondRAT poisoned Python packages campaign analysis.

2024-10-16

UNC4736 (Citrine Sleet) exploits compromised Radiant Capital developer devices to drain approximately $50 million from the cross-chain DeFi protocol. Three developers' multisig keys are used to approve fraudulent transactions.

2024-12-09

Radiant Capital publicly attributes the October 2024 $50 million exploit to UNC4736 (Citrine Sleet) following Mandiant investigation.

2025-10-01

Citrine Sleet operatives begin approaching Drift Protocol contributors at major cryptocurrency conferences, presenting as employees of a quantitative trading firm. Six-month social engineering operation commences.

2025-12-01

Attackers onboard an Ecosystem Vault on Drift Protocol, depositing over $1 million in real capital to establish legitimacy and begin formal integration discussions.

2026-02-01

Drift operatives continue in-person meetings with contributors across multiple countries, sharing malicious links and ultimately compromising contributor devices via malicious VSCode project (tasks.json exploit) and a TestFlight iOS application.

2026-04-01

Attackers execute durable nonce attack on Drift Protocol using pre-signed multisig transactions dormant for over one week, draining approximately $285 million in user assets in roughly twelve minutes. Telegram channels and malware are immediately deleted.

2026-04-05

Drift Protocol publishes post-mortem attributing attack to UNC4736 (Citrine Sleet) with medium confidence based on on-chain fund flows to Radiant Capital addresses. Mandiant and law enforcement engaged.