Security Experts:

Connect with us

Hi, what are you looking for?



Multi-Platform Malware Framework Linked to North Korean Hackers

Kaspersky’s security researchers have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years.

Kaspersky’s security researchers have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years.

Called MATA, the platform appears to have been in use since spring 2018 to target computers running Windows, Linux, and macOS. The framework, which consists of components such as a loader, an orchestrator, and plugins, is believed to be linked to the prolific North Korean hacking group Lazarus.

Active since 2009 or earlier and also referred to as Hidden Cobra, Lazarus has been associated with various high-profile attacks, including the WannaCry outbreak in 2017. More recently, the group was observed targeting cryptocurrency exchanges.

Lazarus is known for both cyber-espionage and financially-motivated attacks, and was previously observed targeting banks in campaigns such as ATMDtrack and AppleJeus. Activity involving the MATA platform shows that the threat actor continues this type of attacks.

Based on discovered artifacts, Kaspersky assesses that MATA has been used in assaults on corporate entities worldwide since April 2018, aimed at stealing information such as customer databases, but also leveraged to distribute ransomware.

Victims of the framework are located in Germany, India, Japan, Korea, Poland, and Turkey. The attacks showed that the threat actor hasn’t been focused on a single industry, but targeted multiple sectors, including software development, e-commerce, and an internet service provider.

Analysis of the MATA orchestrator revealed unique filenames previously seen in several variants of the Manuscrypt malware family, and shares a configuration structure similar to that of Manuscrypt, which Kaspersky considered to be evidence of ties with Lazarus.

“Writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups. We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected,” Seongsu Park, senior security researcher at Kaspersky, commented.

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.