Threat Actor Profile
High APT
Description

AppleJeusis a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broaderLazarus Groupumbrella of actors,AppleJeushas been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella.[1]The group’s primary mission is to generate and launder revenue to provide financial support to the government.AppleJeusprimarily targets the cryptocurrency industry and is most notably responsible for the3CX Supply Chain Attack.[2]The group traditionally deploys malicious cryptocurrency software in combination withPhishing. From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets.[3][4]

Confidence Score
100%
Tags
mitre-attack crawled web-source mitre-group
First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 43 minutes ago

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (20)
T1071 - Application Layer Protocol
Command and Control
T1102 - Web Service
Command and Control
T1573 - Encrypted Channel
Command and Control
T1027 - Obfuscated Files or Information
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1218 - System Binary Proxy Execution
Defense Evasion
T1553 - Subvert Trust Controls
Defense Evasion
T1620 - Reflective Code Loading
Defense Evasion
T1678 - Delay Execution
Defense Evasion
T1217 - Browser Information Discovery
Discovery
T1203 - Exploitation for Client Execution
Execution
T1559 - Inter-Process Communication
Execution
T1657 - Financial Theft
Impact
T1189 - Drive-by Compromise
Initial Access
T1195 - Supply Chain Compromise
Initial Access
T1566 - Phishing
Initial Access
T1543 - Create or Modify System Process
Persistence
T1574 - Hijack Execution Flow
Persistence
T1546 - Event Triggered Execution
Privilege Escalation
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': [],
 'description': 'AppleJeusis a North Korean state-sponsored threat group '
                'attributed to the Reconnaissance General Bureau. Associated '
                'with the broaderLazarus Groupumbrella of actors,AppleJeushas '
                'been active since at least 2018 and is closely aligned in '
                'resources with TEMP.hermit, another DPRK-affiliated group '
                'under the same umbrella.[1]The group’s primary mission is to '
                'generate and launder revenue to provide financial support to '
                'the government.AppleJeusprimarily targets the cryptocurrency '
                'industry and is most notably responsible for the3CX Supply '
                'Chain Attack.[2]The group traditionally deploys malicious '
                'cryptocurrency software in combination withPhishing. From '
                'these compromised environments, it selectively deploys '
                'additional backdoors to enable extended operations against '
                'high-value financial targets.[3][4]',
 'external_references': [{'external_id': 'G1049',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1049/'}],
 'id': 'threat-actor--G1049',
 'metadata': {'crawled_at': '2026-04-29T14:32:26.970379+00:00',
              'mitre_group_id': 'G1049',
              'page_title': 'AppleJeus, Gleaming Pisces, Citrine Sleet, '
                            'UNC1720, UNC4736, Group G1049 | MITRE ATT&CK®'},
 'name': 'AppleJeus',
 'type': 'threat-actor'}
Quick Actions
Related TTPs (20)
Application Layer Protocol
Command and Control
Web Service
Command and Control
Encrypted Channel
Command and Control
Obfuscated Files or Informati…
Defense Evasion
Process Injection
Defense Evasion
View All 20 TTPs
Back to Threat Actors
Dashboard Home