SentinelOne reports that DPRK-linked Lazarus Group has been integrating components from the RustBucket and KandyKorn campaigns. The loader historically observed in the RustBucket campaign has been employed in conjunction with the KandyKorn Remote Access Trojan (RAT).
The RustBucket campaign utilized a second-stage malware, named "SwiftLoader," which disguised itself as a PDF Viewer, enticing victims to view a document. The latter was weaponized with SwiftLoader, which, in turn, retrieved and executed a Rust-written stager.
The KandyKorn campaign used malicious Python scripts that dropped malware, subsequently hijacking the Discord app installed on the compromised host and delivering malware—dubbed KandyKorn—written in C++. SwiftLoader now appears to be used to load the KandyKorn RAT, potentially as an evasion technique.