Security Experts:

Connect with us

Hi, what are you looking for?



Multi-Platform Malware Framework Linked to North Korean Hackers

Kaspersky’s security researchers have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years.

Kaspersky’s security researchers have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years.

Called MATA, the platform appears to have been in use since spring 2018 to target computers running Windows, Linux, and macOS. The framework, which consists of components such as a loader, an orchestrator, and plugins, is believed to be linked to the prolific North Korean hacking group Lazarus.

Active since 2009 or earlier and also referred to as Hidden Cobra, Lazarus has been associated with various high-profile attacks, including the WannaCry outbreak in 2017. More recently, the group was observed targeting cryptocurrency exchanges.

Lazarus is known for both cyber-espionage and financially-motivated attacks, and was previously observed targeting banks in campaigns such as ATMDtrack and AppleJeus. Activity involving the MATA platform shows that the threat actor continues this type of attacks.

Based on discovered artifacts, Kaspersky assesses that MATA has been used in assaults on corporate entities worldwide since April 2018, aimed at stealing information such as customer databases, but also leveraged to distribute ransomware.

Victims of the framework are located in Germany, India, Japan, Korea, Poland, and Turkey. The attacks showed that the threat actor hasn’t been focused on a single industry, but targeted multiple sectors, including software development, e-commerce, and an internet service provider.

Analysis of the MATA orchestrator revealed unique filenames previously seen in several variants of the Manuscrypt malware family, and shares a configuration structure similar to that of Manuscrypt, which Kaspersky considered to be evidence of ties with Lazarus.

“Writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups. We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected,” Seongsu Park, senior security researcher at Kaspersky, commented.

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.