Infamous North Korean hacking outfit Lazarus is targeting cryptocurrency traders with a new malware campaign dubbed “Operation AppleJeus.”

Uncovered by security researchers at Kaspersky Lab and publicized Thursday, the campaign was first detected during an investigation into a hack of an unnamed Asian cryptocurrency exchange and involved Lazarus distributing software infected with a trojan virus to exchange customers. The researchers said the software, a cryptocurrency trading applications, had been recommended to the company over email.

The weaponized software was found to include a malware suite called “FallChill” that opens a series of backdoors to bypass authentication that give Lazarus the ability to take control of the victim’s computer to steal data and cryptocurrency.

What’s interesting about the campaign is that it came not only in a version that targeted Windows but in macOS as well, hence the name AppleJeus. “The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms,” the researchers note.

They speculate that the move by Lazarus to target macOS and potentially in the future Linux systems is recognition that non-Windows computers offer plentiful opportunities because users tend to be far more complacent when it comes to security.

The other interesting aspect of the campaign is that the software suggested to the cryptocurrency exchanges users, called Cellas Pro, came signed with a legitimate security certificate. That begs the question as to whether the software itself came first, or Lazarus designed it complete with trojan capability. Hackers creating fake software isn’t new, but it is somewhat rare, and the researchers have been unable to ascertain the order of events.

Lazarus was last in the new back in February when it launched a hacking campaign targeting banks and bitcoin users. That campaign, dubbed HaoBao, involved the North Korean hackers pretending to be from a Hong Kong-based recruitment firm. Email attachments that were clicked on installed malware that could also steal data and cryptocurrency account details.

Image: Kaspersky