Also Known As: Citrine Sleet, AppleJeus, Golden Chollima, Gleaming Pisces, Labyrinth Chollima, Nickel Academy, Hidden Cobra
Attribution: Bureau 121, Reconnaissance General Bureau (RGB), Democratic People’s Republic of Korea
First Observed: 2018
Primary Operations: Cryptocurrency theft, supply chain compromise, social engineering, DeFi governance attacks
UNC4736 is a North Korean state-sponsored threat actor attributed to Bureau 121 of the Reconnaissance General Bureau, the same directorate responsible for some of North Korea’s most damaging cyberattacks. Operating since at least 2018, the group is primarily focused on cryptocurrency theft to generate revenue for the North Korean regime. It is tracked across the security industry under multiple names: Microsoft calls it Citrine Sleet, Mandiant uses UNC4736, CISA references it as AppleJeus, and CrowdStrike tracks it as Golden Chollima and Gleaming Pisces. The group is assessed to be a sub-cluster within the broader Lazarus Group umbrella, sharing tooling and infrastructure with other DPRK-affiliated threat clusters including Diamond Sleet and TEMP.Hermit.
Origins and Mission
UNC4736’s primary mission is financial. Unlike North Korean espionage clusters that target governments and defense contractors for intelligence, UNC4736 focuses almost exclusively on cryptocurrency platforms, DeFi protocols, fintech firms, and individuals managing digital assets. The proceeds from its operations are believed to fund the North Korean regime’s weapons programs and other state priorities. CISA has documented the group using its custom AppleJeus malware to steal cryptocurrency from victims in more than 30 countries.
The group’s members are reportedly trained in Shenyang, China in malware development and intelligence operations. Its activities share significant infrastructure and tooling overlap with other financially motivated North Korean clusters, and the boundaries between UNC4736 and groups like BlueNoroff have historically been blurred, with AppleJeus malware attributed to both at different points in time.
Signature Tactics
UNC4736 consistently relies on long-running social engineering operations as its primary initial access method. The group invests heavily in building convincing personas — fake trading firms, fictitious job recruiters, fraudulent cryptocurrency wallet developers — and uses these identities to establish genuine relationships with targets before delivering malware. Crucially, the individuals who appear in person at industry events or hold video calls with targets are typically not North Korean nationals. The group deploys third-party intermediaries with fully constructed professional identities, employment histories, and social networks specifically built to withstand due diligence checks.
Once a target has been socially engineered into interacting with a malicious artifact — a trojanized application, a malicious code repository, or a weaponized document — UNC4736 deploys malware designed to harvest credentials, capture private keys, and establish persistent backdoor access. The group then uses that access to drain cryptocurrency wallets or, in more complex operations, to compromise the governance infrastructure of DeFi protocols.
Key Operations
X_TRADER / 3CX Supply Chain Compromise (2022–2023) — UNC4736’s most technically sophisticated documented operation involved a cascading double supply chain attack, the first of its kind publicly reported. The group compromised the website of Trading Technologies, injecting a backdoor called VEILEDSIGNAL into the installer for X_TRADER, a retired financial trading application. A 3CX employee downloaded the trojanized installer in April 2022, giving UNC4736 access to the employee’s device and corporate credentials. The group then used that access to compromise 3CX’s Windows and macOS build environments, inserting malware into the legitimate 3CX DesktopApp used by more than 600,000 businesses and 12 million users globally. The compromised application delivered an infostealer called ICONICSTEALER targeting browser data. Subsequent targeting focused on cryptocurrency and defense sector victims. Mandiant attributed the operation to UNC4736 with moderate confidence in April 2023.
Radiant Capital ($53 Million, October 2024) — On September 11, 2024, a Radiant Capital developer received a Telegram message from what appeared to be a trusted former contractor seeking feedback on smart contract auditing work. The message contained a ZIP file delivering INLETDRIFT, a macOS backdoor that displayed a convincing legitimate-looking PDF while establishing persistent access via an AppleScript communicating with attacker-controlled infrastructure. The attacker compromised at least 3 of Radiant’s 11 multisig signers and used the access to display legitimate-looking transaction data on the Gnosis Safe frontend while submitting malicious transactions to hardware wallets in the background. On October 16, 2024, the attackers executed 3 weeks of pre-staged malicious contracts, draining approximately $53 million across BNB Chain and Arbitrum. Mandiant attributed the attack to UNC4736 with high confidence based on device forensics and on-chain fund flows.
Drift Protocol ($285 Million, April 2026) — The most financially damaging operation attributed to UNC4736 to date began in the fall of 2025, when individuals presenting as a quantitative trading firm approached Drift Protocol contributors at a major crypto industry conference. Over 6 months, the group built genuine relationships with Drift contributors at multiple events across several countries, deposited more than $1 million of their own capital into a Drift Ecosystem Vault, and participated in working sessions with the development team. The individuals who appeared in person were intermediaries, not North Korean nationals. Two Drift contributors were compromised through a malicious TestFlight application and a malicious code repository that exploited a known vulnerability in VS Code and Cursor. The group used the resulting device access to socially engineer 2 of 5 Security Council multisig signers into pre-approving transactions via Solana durable nonces. On April 1, 2026, attackers seized protocol-level control and drained $285 million in approximately 10 seconds. SEAL 911 and Mandiant attributed the operation to UNC4736 with medium-high confidence based on on-chain fund flows connecting the attack to the Radiant Capital wallets. BreachNews covered the Drift Protocol attack in full.
Malware and Tools
UNC4736 has developed and deployed a consistent set of custom malware families across its operations. The AppleJeus trojan, first documented by CISA, is designed to collect information needed to seize cryptocurrency assets and has been delivered through trojanized wallet applications, fake trading software, and fraudulent job offer documents. VEILEDSIGNAL is a modular backdoor used for persistent access and was central to the X_TRADER/3CX supply chain operation. INLETDRIFT is a macOS backdoor deployed in the Radiant Capital operation, notable for its use of AppleScript for C2 communication and its ability to display a convincing decoy PDF to avoid suspicion. The POOLRAT backdoor has been observed in macOS and Linux environments and was identified in the 3CX investigation. The group also shares use of the FudModule rootkit with Diamond Sleet, indicating tooling sharing across DPRK-affiliated clusters.
In 2024, Microsoft observed UNC4736 exploiting CVE-2024-7971, a high-severity type confusion bug in the V8 JavaScript engine, as a zero-day to achieve remote code execution in the Chromium renderer process, followed by a Windows kernel privilege escalation via CVE-2024-38106 to escape the sandbox and load FudModule into memory. This represented the third Chromium zero-day leveraged by North Korean actors that year.
Escalating Sophistication
The progression from the X_TRADER supply chain attack to the Radiant Capital hack to the Drift Protocol operation illustrates a clear trajectory of increasing operational complexity. The X_TRADER operation required compromising a software vendor’s build environment. The Radiant operation refined the social engineering and malware delivery into a targeted, human-focused attack against a small number of multisig signers. The Drift operation combined both approaches at scale — a 6-month in-person intelligence operation, device compromise via multiple vectors, fake token creation, oracle manipulation, and governance hijacking — representing what one independent researcher described as the most elaborate and targeted attack perpetrated by DPRK actors in the crypto space.
A CrowdStrike assessment published in January 2026 described UNC4736 as operating at a “more consistent operational tempo” compared to other DPRK clusters, suggesting it functions as a reliable revenue-generating unit for the regime rather than an opportunistic attacker. The group’s willingness to invest $1 million of its own capital and 6 months of operational time in the Drift operation suggests resource allocation at a level consistent with state backing.
Intelligence and Research References
Primary public documentation on UNC4736 includes Mandiant’s April 2023 report on the 3CX supply chain compromise, Radiant Capital’s December 2024 incident update, Microsoft’s August 2024 report on Citrine Sleet exploiting a Chromium zero-day, and the MITRE ATT&CK entry for AppleJeus (G1049).
