Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1049: AppleJeus

AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader Lazarus Group umbrella of actors, AppleJeus has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella.[1] The group’s primary mission is to generate and launder revenue to provide financial support to the government. AppleJeus primarily targets the cryptocurrency industry and is most notably responsible for the 3CX Supply Chain Attack.[2] The group traditionally deploys malicious cryptocurrency software in combination with Phishing. From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets.[3][4]

EnterpriseG1049GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AppleJeus is an ATT&CK group entry for a DPRK-aligned actor set associated with revenue generation and laundering, with emphasis on cryptocurrency targets, phishing, malicious cryptocurrency software, and the 3CX Supply Chain Attack. For leaders, the value is not just attribution: this object points to a business-risk pattern where trusted software, identity access, finance operations, and crypto-related workflows can become the path to theft or prolonged access.

Executive priority

Prioritize this as a resilience and financial-risk scenario, especially if the organization operates in cryptocurrency, financial services, software supply chain, or holds high-value financial access. Executives should ask whether phishing defenses, identity controls, software provenance checks, and financial transaction governance can produce audit-ready evidence during an incident. Because ATT&CK provides no group-level detection guidance here, priority should be placed on validating control coverage against the related behaviors: Phishing and Financial Theft.

Technical view

ATT&CK does not specify AppleJeus platforms or tactics directly, but the relationships tie the group to T1566 Phishing for initial access and T1657 Financial Theft for impact. SOC and IR teams should validate visibility across email and Office Suite activity, identity provider authentication, Linux and macOS endpoints where relevant, SaaS environments, and financial or cryptocurrency transaction systems. Detection engineering should not rely on the group name alone; it should map controls to phishing delivery, suspicious authentication, malicious or unexpected software execution, persistence of backdoors after initial compromise, and anomalous financial movement.

Likely telemetry

  • Email security and mail flow logs for phishing messages, links, and attachments
  • Identity provider authentication, MFA, session, and conditional access logs
  • Office Suite audit logs for suspicious document, link, attachment, or account activity
  • Endpoint telemetry from Linux and macOS systems, including process execution, file creation, network connections, and installed software changes
  • Software inventory, update, signing, and third-party application provenance records relevant to supply-chain exposure

Detection direction

  • Use the AppleJeus aliases supplied by ATT&CK—Gleaming Pisces, Citrine Sleet, UNC1720, and UNC4736—for threat intelligence correlation, but avoid treating alias matches as sufficient evidence of attribution.
  • Tune phishing detections around targeted messages, malicious links, and attachments, then correlate with identity-provider sign-ins and endpoint execution on the related platforms.
  • Validate that financial-theft monitoring covers SaaS and cryptocurrency or treasury workflows, not only traditional endpoint malware alerts.
  • Review software supply-chain monitoring in light of the 3CX campaign reference: confirm whether trusted software update activity, new binaries, and unexpected network behavior are logged and reviewable.
  • Account for false positives from legitimate financial operations, software updates, and administrator activity by requiring multi-signal correlation across identity, endpoint, SaaS, and transaction evidence.

Mitigation priorities

  • Start with phishing-resistant identity controls, MFA enforcement, and hardened account recovery for users with access to financial, SaaS, or cryptocurrency systems.
  • Strengthen email and Office Suite protections for links, attachments, and impersonation while ensuring suspicious-message reporting is connected to SOC triage.
  • Limit privileges and require separation of duties for financial movement, cryptocurrency operations, and SaaS administration.
  • Improve software supply-chain hygiene through trusted source validation, inventory, update governance, and monitoring of unexpected application behavior.
  • Prepare IR playbooks that connect phishing investigation, identity containment, endpoint analysis, SaaS review, and financial transaction hold or reversal procedures.
Analyst notes and limits

This take is based on the official ATT&CK group description, aliases, external references, and relationships to T1566 Phishing and T1657 Financial Theft. The strongest decision value is for organizations with cryptocurrency exposure, financial operations, software supply-chain dependencies, or identity-centric SaaS environments.

ATT&CK provides no group-level platforms, tactics, or detection text for this object. The related technique descriptions provide platform context, but local architecture determines which telemetry is relevant. This summary does not establish current activity, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

AppleJeus

AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader Lazarus Group umbrella of actors, AppleJeus has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella.[1] The group’s primary mission is to generate and launder revenue to provide financial support to the government. AppleJeus primarily targets the cryptocurrency industry and is most notably responsible for the 3CX Supply Chain Attack.[2] The group traditionally deploys malicious cryptocurrency software in combination with Phishing. From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets.[3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1657 Financial Theft

AppleJeus has targeted the cryptocurrency industry with the goal of stealing digital assets.CitationMandiant DPRK Groups 2023
Enterprise T1566 Phishing

AppleJeus has used spearphishing emails to distribute malicious payloads.Citationdtex DPRK 2025 structure ITworkers
Associated objects

Groups, software, and campaigns

Campaign Enterprise

C0057: 3CX Supply Chain Attack

The 3CX Supply Chain Attack was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized, end-of-life version of the X_Trader trading software from Trading Technologies. This provided UNC4736, a threat cluster associated with AppleJeus, access to the 3CX environment. From there UNC4736 compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.[1] While 3CX serves more than 600,000 customers and 12 million users, only a subset of systems were affected. Subsequent targeting focused on victims in the defense and cryptocurrency sectors, where attackers deployed secondary payloads such as Gopuram for credential theft and persistence.[2] The campaign began in late 2022 and was disrupted after security vendors publicly reported the compromise in March 2023.[3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1657: Financial Theft Enterprise attributed to · Campaign C0057: 3CX Supply Chain Attack Enterprise uses · Technique T1566: Phishing Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
01c7a52de1472c9a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 01c7a52de147…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    dtex DPRK 2025 structure ITworkers

    Michael “Barni” Barnhart, DTEX, and Anonymous SMEs. (2025, May 14). Exposing DPRK's Cyber Syndicate and Hidden IT Workforce. Retrieved September 3, 2025.

    Open source URL
  2. [2]
    Mandiant 3cx UNC4736 2023

    Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, Daniel Scott. (2023, April 20). 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible. Retrieved August 25, 2025.

    Open source URL
  3. [3]
    Mandiant DPRK Groups 2023

    Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez. (2023, October 10). Assessed Cyber Structure and Alignments of North Korea in 2023. Retrieved August 25, 2025.

    Open source URL
  4. [4]
    JPCert Blog Laz Subgroups 2025

    佐々木勇人 Hayato Sasaki. (2025, March 25). Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup. Retrieved August 25, 2025.

    Open source URL
  5. [5]
    Citrine Sleet

    (Citation: Unit42 DPRK Threat Groups 2024)

  6. [6]
    Gleaming Pisces

    (Citation: Unit42 DPRK Threat Groups 2024)

  7. [7]
    UNC1720

    (Citation: JPCert Blog Laz Subgroups 2025)(Citation: Mandiant DPRK Groups 2023)

  8. [8]
    UNC4736

    (Citation: dtex DPRK 2025 structure ITworkers)(Citation: Mandiant 3cx UNC4736 2023)

  9. [9]
    Unit42 DPRK Threat Groups 2024

    Unit 42. (2024, September 9). Threat Assessment: North Korean Threat Groups. Retrieved August 25, 2025.

    Open source URL
  10. [10]
    mitre-attack G1049
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use