The infamous North Korean advanced persistent threat (APT) group Lazarus has developed a form of macOS malware called “KandyKorn,” which it is using to target blockchain engineers connected to cryptocurrency exchanges.

According to a report from Elastic Security Labs, KandyKorn has a full-featured set of capabilities to detect, access, and steal any data from the victim’s computer, including cryptocurrency services and applications.

To deliver it, Lazarus took a multistage approach involving a Python application masquerading as a cryptocurrency arbitrage bot (a software tool capable of profiting from the difference in cryptocurrency rates between cryptocurrency exchange platforms). The app featured misleading names, including “config.py” and “pricetable.py,” and was distributed through a public Discord server.