Menu
Browse

Cyber Threat Actor: UNC4736

Actor Type Location Known Incidents
 Icon
Nation State
North Korea
4 incidents
Profile

UNC4736 is a threat actor tracked under that alias and is publicly attributed to North Korea, specifically described as a DPRK‑aligned group linked to the Reconnaissance General Bureau. Public reporting also connects UNC4736 to the financially motivated Lazarus Group through its involvement in Operation AppleJeus and to APT43 activity clusters identified as UNC3782 and UNC4469. These associations indicate a dual focus on financial gain and espionage‑oriented operations that align with broader North Korean state‑sponsored cyber activity.

The actor’s targeting pattern, as reflected in the reported incidents, centers on software supply chains, financial technology platforms and cryptocurrency services. UNC4736 has compromised third‑party software builders such as Trading Technologies to push trojanized updates, subsequently leveraging the stolen credentials to infiltrate downstream build environments at companies like 3CX and to tamper with legitimate software distribution channels, as seen in the OpenAI GitHub Actions incident that poisoned the Axios library used for macOS code signing. In the financial sector, the actor executed a sophisticated DeFi attack against Radiant Capital, delivering a macOS backdoor via a malicious Telegram‑delivered ZIP file and manipulating smart‑contract front ends to conceal illicit transactions. These operations demonstrate a clear motivation to obtain financial gain while also gathering intelligence through software‑supply‑chain intrusion.

Observed tactics, techniques and procedures include the use of multi‑stage modular backdoors such as VEILEDSIGNAL, which drops components like the TAXHAUL launcher and COLDCAT downloader, and employs DLL hijacking of the legitimate IKEEXT service to achieve persistence with SYSTEM privileges on Windows systems. On macOS, UNC4736 has deployed the POOLRAT backdoor using LaunchDaemons for persistence and has relied on DLL side‑loading through legitimate Windows binaries to evade detection. Initial access frequently involves trojanized installers—such as the compromised X_TRADER application—that steal credentials and enable lateral movement within victim networks. In the Radiant Capital incident, the actor used a malicious Telegram message containing a ZIP file that dropped the INLETDRIFT malware, establishing a persistent backdoor while displaying a decoy PDF to avoid suspicion. The group also crafts malicious smart contracts across multiple blockchain networks and manipulates front‑end interfaces to hide fraudulent transactions during signing, demonstrating a blend of traditional malware and blockchain‑focused subterfuge. After achieving objectives, UNC4736 has been observed removing forensic traces to hinder investigation.

Notable campaigns attributed to UNC4736 include the 2023 compromise of 3CX that originated from a prior breach of Trading Technologies’ build infrastructure, the October 2024 Radiant Capital heist involving approximately $50 million in losses through the INLETDRIFT backdoor and manipulated smart contracts, and the March 2026 OpenAI supply chain incident where a GitHub Actions workflow downloaded a poisoned version of the Axios library used to sign macOS applications. Earlier activity linked to the group includes the March 2022 compromise of the Trading Technologies website noted in Google’s Threat Analysis Group reporting, which is tied to the broader Operation AppleJeus campaign conducted by the Lazarus Group. These incidents collectively illustrate UNC4736’s reliance on supply‑chain manipulation, credential theft, macOS and Windows backdoors, and blockchain‑based fraud to achieve its objectives.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
7 sources