Connect with us

Hi, what are you looking for?



Multi-Platform Malware Framework Linked to North Korean Hackers

Kaspersky’s security researchers have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years.

Kaspersky’s security researchers have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years.

Called MATA, the platform appears to have been in use since spring 2018 to target computers running Windows, Linux, and macOS. The framework, which consists of components such as a loader, an orchestrator, and plugins, is believed to be linked to the prolific North Korean hacking group Lazarus.

Active since 2009 or earlier and also referred to as Hidden Cobra, Lazarus has been associated with various high-profile attacks, including the WannaCry outbreak in 2017. More recently, the group was observed targeting cryptocurrency exchanges.

Lazarus is known for both cyber-espionage and financially-motivated attacks, and was previously observed targeting banks in campaigns such as ATMDtrack and AppleJeus. Activity involving the MATA platform shows that the threat actor continues this type of attacks.

Based on discovered artifacts, Kaspersky assesses that MATA has been used in assaults on corporate entities worldwide since April 2018, aimed at stealing information such as customer databases, but also leveraged to distribute ransomware.

Victims of the framework are located in Germany, India, Japan, Korea, Poland, and Turkey. The attacks showed that the threat actor hasn’t been focused on a single industry, but targeted multiple sectors, including software development, e-commerce, and an internet service provider.

Analysis of the MATA orchestrator revealed unique filenames previously seen in several variants of the Manuscrypt malware family, and shares a configuration structure similar to that of Manuscrypt, which Kaspersky considered to be evidence of ties with Lazarus.

“Writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups. We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected,” Seongsu Park, senior security researcher at Kaspersky, commented.

Advertisement. Scroll to continue reading.

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.