UNC4899 Exploits AirDrop for Crypto Firm Breach — Analysis

North Korean APT groups continue to demonstrate high levels of creativity in bypassing perimeter defenses. According to The Hacker News, the threat actor UNC4899—also tracked as Jade Sleet and PUKCHONG—successfully breached a major cryptocurrency firm in 2025. This incident highlights a shift toward using consumer features like AirDrop to bridge the security gap between personal and corporate environments, allowing attackers to bypass sophisticated network monitoring.

UNC4899 is believed to be a sub-group or closely related to the Lazarus Group, a state-sponsored entity known for large-scale financial theft. The recent campaign targeted a developer within the firm, utilizing social engineering to deliver a trojanized file. However, the method of delivery into the corporate network was unconventional, relying on the physical proximity and convenience of macOS file-sharing features.

Technical Analysis: The AirDrop Infection Vector

The attack sequence began when a developer received a trojanized application on their personal device. To avoid corporate security filters that might flag an external download on a managed asset, the developer utilized AirDrop to transfer the malicious file from their personal MacBook to their work-issued laptop. This action effectively moved the malware across the ‘air gap’ between an unmanaged personal device and a managed corporate asset, circumventing EDR tools that monitor browser-based downloads and email attachments.

Once the developer executed the file on the work machine, the malware established a C2 connection. This initial foothold allowed UNC4899 to conduct further TTP activities, including credential harvesting and lateral movement into the firm’s cloud environment. The ultimate goal was the theft of cryptocurrency assets, a recurring objective for North Korean state-sponsored operations aimed at generating revenue for the regime.

UNC4899 Crypto Sector Targeting TTPs

The actor’s focus on the cryptocurrency sector remains relentless. UNC4899 crypto sector targeting TTPs typically involve the distribution of trojanized Python applications, fake job recruitment lures, or modified open-source tools. By leveraging the developer’s trust in their own personal hardware, the actor successfully exploited the human element of the Zero Trust architecture. The use of AirDrop as a delivery mechanism demonstrates that even the most secure network perimeters can be rendered irrelevant if endpoint sharing features are not strictly controlled.

Analysis of the malware samples suggests the use of sophisticated obfuscation techniques to avoid detection by signature-based antivirus solutions. The campaign fits within the broader MITRE ATT&CK framework, specifically involving T1566 (Phishing) and T1091 (Replication Through Removable Media), though adapted for wireless peer-to-peer protocols.

Detecting and Mitigating Side-Channel Attacks

Defenders must recognize that traditional network security focuses heavily on the ‘North-South’ and ‘East-West’ traffic within the data center, often overlooking peer-to-peer wireless transfers at the office or remote work locations.

How to detect UNC4899 malware infection

Organizations can improve their detection capabilities by monitoring the macOS Unified Logging System (ULS) for activity related to sharingd, the daemon responsible for AirDrop and other sharing services. Identifying unexpected file transfers from unknown or unmanaged UUIDs to corporate devices can serve as an early warning sign. Furthermore, security teams should look for anomalous outbound connections following such transfers, as these may indicate the establishment of a command-and-control channel.

Restricting AirDrop on macOS enterprise devices

The most effective mitigation for this specific vector is restricting AirDrop on macOS enterprise devices via Mobile Device Management (MDM) configuration profiles. By setting the allowAirDrop key to false in the com.apple.applicationaccess payload, administrators can prevent unauthorized file transfers between personal and professional devices. This should be combined with a policy of strictly prohibiting the use of personal devices for receiving or staging professional tools and code.

Actionable Recommendations

1. Restrict Peer-to-Peer Sharing: Use MDM to disable AirDrop, Handoff, and Bluetooth file sharing on all corporate-issued macOS and iOS devices.
2. Endpoint Auditing: Ensure that EDR solutions are configured to scan all files written to disk, regardless of the source (e.g., local disk, USB, or wireless transfer).
3. Developer Training: Educate staff on the risks of using personal devices as staging areas for work files, emphasizing that attackers target personal accounts specifically to bypass corporate security.
4. Cloud Access Monitoring: Implement strict Zero Trust policies for cloud environments, requiring multi-factor authentication and device posture checks before granting access to sensitive financial infrastructure.