North Korean Hackers Unleash New ‘Durian’ Malware to Target South Korean Crypto Firms, Reveals Kaspersky Report

By Ben Knight May 15, 2024 In Cryptocurrency, Hackers, Korea
Cyber Attacks Risk From North Koreans 3d Illustration. Shows Threat By North Korea And Ransomware Or Online Cybercrime Security Crime Against Web Protection
  • North Korea’s cyberwar on South Korea has intensified, with Lazarus Group – one of the world’s largest hacking groups – being responsible for ~16% of all lost funds in 2023.
  • A potential associate group, Kimsuky, has also been actively targeting South Korean crypto software developers.
  • The criminals use malware called “Durian” to gain backdoor access to servers, allowing them to install additional programs and steal passwords and other data.

North Korea has ramped up cyberattacks on their southern neighbours, according to a report from cybersecurity analysts Kaspersky. The most prominent North Korean hackers, Lazarus Group, were prolific throughout 2023, stealing approximately US$309m (AU$466m). 

This made them responsible for about 1/6th of all money lost due to cybercrime last year. However, this time around, Kaspersky believes it’s another group of cybercriminals responsible for targeting South Korea’s crypto sector – though they may be connected.      

Related: Australian Federal Court Finds BPS Financial Guilty of Unlicensed Conduct With ‘Qoin Wallet’

Durian Malware Used to Access Passwords

When discussing cybercrime, it can get a little technical, so we’ll try to make it as straightforward as possible. 


Essentially, a North Korean group which operates under the handle “Kimsuky” began targeting South Korean crypto companies in late 2023-early 2024. The consortium attacked crypto developers, using “legitimate programs” to find a connection into the servers. 

Kimsuky would then use the malware dubbed “Durian”, which was the next step in the process. Specifically, Durian would create a backdoor that granted the hackers significant control – including the ability to manipulate the opening and execution of .exe programs. 

Finally, Durian would be used to install additional malware and other necessary programs, including “AppleSeed” and Chrome Remote Desktop. The combination of these specific tools allowed Kimsuky to skim data from the South Korean company’s servers, including login/password info and cookies.

Interestingly, the report also noted that the hackers used “LazyLoad”, a “custom proxy tool” which has historic links to Lazarus Group. It’s possible that the two consortiums are related in some way, but still operate independently.  

Get the most important crypto news delivered to your inbox by subscribing to the CNA newsletter

Ben Knight

Ben Knight

Ben Knight is a writer and editor from Melbourne with a passion for all things music and finance. He enjoys turning complex topics – especially the technical details of cryptocurrency – into digestible bites that anybody can understand. He acquired his Master’s in Writing, Editing and Publishing from RMIT in 2019 and has run his own creative writing business ever since.

You may also like