UNC4899 AirDrop Attack: How North Korean Hackers Bypassed Perimeter Defenses

In the evolving landscape of cyber threats, perimeter defenses like email gateways and firewalls are becoming increasingly effective at stopping traditional attacks. Consequently, sophisticated adversaries are shifting tactics, moving laterally from digital phishing to physical proximity attacks. A stark example of this evolution emerged recently involving UNC4899, a North Korean threat actor also tracked as Jade Sleet, PUKCHONG, and Slow Pisces.

Introduction

Imagine sitting in a coworking space or a coffee shop, working on a sensitive project for a cryptocurrency firm. Suddenly, a notification pops up on your screen: "AirDrop: Resume.pdf from MacBook Pro." Instinctively, assuming it is a recruiter or a colleague, you click Accept. In that split second, you have just bypassed millions of dollars in security infrastructure and handed the keys to the kingdom to a state-sponsored adversary.

This is not a hypothetical scenario. In 2025, UNC4899 successfully utilized this exact method to breach a cryptocurrency organization. By targeting a developer's work device via AirDrop, they delivered a trojanized file that ultimately led to the theft of millions of dollars in digital assets. This attack signals a dangerous shift: hackers are now exploiting the inherent trust we place in person-to-person file sharing.

Analysis: The Proximity Vector

UNC4899 is a prolific North Korean group with a history of targeting the blockchain and cryptocurrency sectors to generate revenue for the regime. While their tradecraft typically involves LinkedIn social engineering and malicious npm packages, the use of AirDrop represents a tactical pivot to bypass "soft" targets.

The Technical Breakdown

AirDrop utilizes Bluetooth to create a peer-to-peer Wi-Fi network between Apple devices. While convenient, it presents a significant attack surface for several reasons:

1. Bypassing Email Security: Traditional Secure Email Gateways (SEGs) analyze attachments for malware. AirDrop transfers files directly to the device storage, completely circumventing these controls.
2. Trust Exploitation: Users are conditioned to treat AirDrop requests as coming from someone physically nearby. If the attacker is in the same vicinity (e.g., a developer conference), the victim's guard is down.
3. Execution: In this incident, the delivered file was likely a DMG disk image or a signed malicious application masquerading as legitimate software or a document. Once opened, the payload likely established a reverse shell or deployed a stealer (e.g., CookieMiner variants) to harvest credentials and session tokens.

Cloud Compromise Path

Once the developer's device was compromised, the attack moved to the cloud. The malware likely sought access to:

• Private Keys: Locally stored wallet keys.
• Environment Variables: AWS/GCP credentials stored in .bash_profile or .zshrc.
• Session Cookies: Validated session tokens for internal crypto dashboards.

By authenticating as the developer, UNC4899 could move laterally into the organization's cloud infrastructure to siphon funds without triggering MFA prompts that would look anomalous if originating from a new device, but appeared normal coming from a known corporate endpoint.

Detection and Threat Hunting

Detecting AirDrop-based attacks requires visibility into endpoint logs that many organizations overlook. Security teams must hunt for anomalies in Bluetooth services and unexpected file executions.

1. KQL Query for Microsoft Sentinel/Defender

This query looks for the creation of processes common to macOS scripts or tools immediately following a potential AirDrop receipt, leveraging DeviceProcessEvents if Microsoft Defender for Endpoint is installed on the Mac endpoints.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceName contains "Mac"
| where FolderPath startswith @"/Users/" and FolderPath contains @"Downloads"
| where ProcessVersionInfoOriginalFileName in~ ("bash", "sh", "python", "osascript", "javascript")
| where InitiatingProcessFileName !in~ ("Safari", "Chrome", "Firefox", "Zoom")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

2. Bash Script for Endpoint Audit

For incident responders triaging a potentially compromised macOS workstation, checking the Unified Logging system for recent AirDrop activity is crucial.

#!/bin/bash

# Search for AirDrop activity in the last 24 hours
echo "Checking for recent AirDrop acceptances..."
log show --predicate 'process == "sharingd" AND eventMessage CONTAINS "AirDrop"' --last 24h --info

echo "Checking for recent DMG mounts (common malware vector)..."
log show --predicate 'eventMessage CONTAINS "hdiutil" OR eventMessage CONTAINS "mount"' --last 24h --info | grep -i "dmg"

3. Python IOC Scanner

A simple script to scan a user's Downloads directory for file types often used in these spear-phishing campaigns.

import os
import magic

def scan_downloads():
    downloads_path = os.path.expanduser("~/Downloads")
    mime = magic.Magic(mime=True)
    suspicious_extensions = ['.dmg', '.pkg', '.app', '.zip']
    
    print(f"Scanning {downloads_path} for executables...")
    
    for root, dirs, files in os.walk(downloads_path):
        for file in files:
            file_path = os.path.join(root, file)
            if any(file.lower().endswith(ext) for ext in suspicious_extensions):
                file_type = mime.from_file(file_path)
                print(f"[!] Suspicious file found: {file} (Type: {file_type})")

if __name__ == "__main__":
    scan_downloads()

Mitigation Strategies

Protecting against proximity-based attacks requires both technical controls and user awareness.

1. Restrict AirDrop via MDM: Organizations managing macOS devices must use Mobile Device Management (MDM) profiles to set AirDrop to "Contacts Only" or "Receiving Off" entirely. For high-value targets like crypto developers, disable it completely.
2. Endpoint Detection and Response (EDR): Ensure EDR agents are installed on all non-Windows devices. macOS endpoints are often unmonitored, making them the path of least resistance.
3. Physical Security Policy: Implement a clean desk policy and enforce a rule of "no unknown file transfers." If an AirDrop request appears from an unrecognized name, users should be trained to reject it immediately and report the proximity anomaly.
4. Least Privilege Access: Ensure developer accounts do not have root access on their local machines, and utilize separate strict roles for cloud infrastructure access to prevent a compromised laptop from draining wallets instantly.

The UNC4899 campaign serves as a stark reminder that cybersecurity is not just about code; it is about physical context and human behavior. As attackers close the distance between the digital and physical realms, our defenses must cover the entire gap.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub