Thursday 15 October 14:00 - 14:30, Green room
Kseniia Yamburh (MacPaw) & Joan Garcia (Independent)
The line between nation-state malware and criminal malware has been blurring for years. Digit Stealer is one of the brightest examples we have of what that blurring looks like in practice. It’s a criminal operation that studied DPRK tradecraft, absorbed the parts that work, and built them into a cross-platform campaign targeting macOS and Windows users with increasing proficiency and decreasing visibility. This talk covers it from every angle we were able to reach: the malware itself, the infrastructure behind it, the nation-state tradecraft woven through it, communications from within the traffer network running it, and evidence from real victims caught by it.
In this talk the macOS payload is the technical centrepiece. It has evolved from early variants to current strains that are executed in memory and are obfuscated heavily enough to slow analysis and challenge detection tools that handled earlier versions cleanly. Alongside the macOS strain, a separate Windows component operates within the same infrastructure. Two distinct tools, one operation. We present both, and we present what their coexistence reveals about the scale and cross-platform reach of what is running them. Attendees will leave this session understanding how a single operation manages to deliver cross-platform payloads through a distribution chain that looks, to the people on the receiving end, like something totally legitimate. That distribution chain was borrowed heavily from DPRK state-sponsored actors. The use of fake professional interactions as a delivery mechanism, and the use of macOS .scpt files as a payload component, carries a fingerprint that the security community will recognize from Lazarus Group affiliate operations. This is evidence of how effectively criminal actors absorb and deploy techniques proven at the nation-state level.
We also obtained a view inside the operation itself. Communications from within the traffer network give us direct intelligence on how the campaign is organized and maintained. We also traced the distribution chain back through the delivery mechanisms that preceded the current approach, showing an infrastructure that has been evolving in parallel with the malware itself. The research is grounded throughout by real victim evidence, firsthand accounts from people who experienced the complete infection chain. They prove what the technical findings describe in abstract, and they show precisely how effective this operation is against the people it targets.
This talk covers Digit Stealer completely: macOS payload evolution to fileless execution and heavy obfuscation, the separate Windows strain, DPRK-borrowed tradecraft, distribution chain history, traffer network intelligence, and victim evidence. It is a precise and well-documented case study in how criminal malware operations absorb nation-state techniques, and in how dangerous a crew becomes when it starts learning from the best.
 |
Kseniia Yamburh Kseniia Yamburh is a macOS malware research engineer from Ukraine specializing in threat intelligence and threat hunting. She hunts emerging macOS malware strains, investigates cybercrime ecosystems, and conducts OSINT operations. She has presented at Objective by the Sea, OFTW, Virus Bulletin, JNUC conferences and regularly writes blog posts and articles breaking down macOS security threats. She's passionate about making cybersecurity accessible to both technical and non-technical audiences and advocates for raising awareness that Macs can and do get viruses.
|
|
Joan Garcia Joan Garcia, also known as g0njxa, is a Spanish cyber security researcher. He specializes in threat intelligence research on infostealer malware, but is also known for his analysis and fostering collaborations over other threats such as phishing or ransomware, contributing to a safer digital landscape. He is active on X and Medium, sharing his in-depth investigations on posts and blogs. |
Back to VB2026 conference page
Register your interest for VB2026
