Microsoft has disclosed a sophisticated cyberattack campaign in which North Korean threat actors exploited a zero-day vulnerability in the Chromium web browser to target cryptocurrency users worldwide. The campaign, attributed to a group Microsoft tracks as Citrine Sleet — also known as AppleJeus and Hidden Cobra — leverages CVE-2024-7971, a high-severity remote code execution flaw in the V8 JavaScript and WebAssembly engine that powers Google Chrome, Microsoft Edge, and other Chromium-based browsers.
The Threat Landscape
The vulnerability exists in Chromium versions prior to 128.0.6613.84, which began rolling out on August 21, 2024. Microsoft’s Security Response Center discovered the active exploitation and notified Google on August 19. Google rated the severity as high, given that the flaw enables remote execution of arbitrary code on a victim’s machine simply by visiting a crafted webpage.
Citrine Sleet is financially motivated and linked to North Korea’s Bureau 121, part of the military’s Reconnaissance General Bureau. The group has a well-documented history of targeting cryptocurrency exchanges, individual traders, and DeFi platforms. Their operational sophistication matches that of advanced persistent threat groups employed by other nation-states, but their financial objectives align directly with Pyongyang’s need to generate foreign currency through cybercrime.
Core Principles
The attack chain begins with social engineering. Citrine Sleet operates fake cryptocurrency trading platforms and sends fraudulent job application lures to targets in the blockchain and cryptocurrency industry. Victims who interact with these lures are redirected to attacker-controlled domains that exploit the Chromium vulnerability to install a rootkit called FudModule on the target system.
FudModule operates entirely in memory, making it difficult for traditional antivirus solutions to detect. The rootkit also attempts to exploit CVE-2024-38106, a Windows kernel privilege escalation vulnerability, to escape browser sandbox protections. Once sandbox escape is achieved, the malware gains system-level access and can intercept cryptocurrency wallet credentials, private keys, and seed phrases.
The multi-stage nature of this attack is instructive. It combines a browser exploit with an operating system privilege escalation and a fileless rootkit — a trifecta that represents the cutting edge of offensive cyber operations.
Tooling and Setup
Defending against this type of campaign requires a layered security approach. Browser updates are the first and most critical line of defense. Users should verify they are running Chromium 128.0.6613.84 or later. Automatic browser updates should be enabled, and users who have disabled them for any reason should re-enable them immediately.
Hardware wallets provide essential protection against credential theft. Even if malware compromises a user’s operating system, private keys stored on a hardware wallet like a Ledger or Trezor never leave the device. Transaction signing occurs on the hardware itself, rendering key-logging and memory-scraping attacks ineffective.
Email and messaging hygiene is equally important. Citrine Sleet’s social engineering lures — fake job offers, fraudulent trading platforms — are designed to appear legitimate. Verifying the authenticity of unsolicited communications before clicking links or downloading files is a non-negotiable practice.
Ongoing Vigilance
The Citrine Sleet campaign underscores a broader trend: nation-state actors are increasingly targeting the cryptocurrency ecosystem as a revenue source. North Korea alone has been linked to billions of dollars in cryptocurrency thefts over the past several years, and the sophistication of their operations continues to advance.
For organizations in the crypto space, this means investing in endpoint detection and response solutions capable of detecting fileless malware. Network monitoring tools that flag unusual outbound connections to suspicious domains can catch command-and-control traffic before exfiltration completes.
Individual users should regularly review their browser extensions, remove any they do not recognize, and monitor their wallet transaction history for unauthorized activity. With Bitcoin trading above $59,000 and the total crypto market cap exceeding $2 trillion, the incentives for state-sponsored cybercrime will only intensify.
Final Takeaway
The convergence of nation-state capabilities with financially motivated cryptocurrency targeting represents a new frontier in cybersecurity. CVE-2024-7971 is not just a browser bug — it is a window into how the most sophisticated threat actors on the planet view the crypto ecosystem. Update your browser, use a hardware wallet, and treat every unsolicited link as a potential weapon.
CVE-2024-7971 in Chromium V8 and DPRK is actively exploiting it. Update your browser right now if you havent since August 21
updated chrome the same day this dropped. V8 RCE with no user interaction beyond a page visit is nightmare fuel for anyone trading from a browser
Updated my browser immediately after reading this. The fact that this affects all Chromium-based browsers means most crypto traders are at risk if they haven’t updated since August.
Citrine Sleet has been at this for years. AppleJeus was their fake crypto exchange tool from 2018. Same playbook, better delivery.
Kwame AppleJeus to Chromium zero-day is quite the upgrade in 6 years. they went from building fake exchanges to exploiting browser engines. the skill gap closed fast
remote code execution from just visiting a webpage. and people wonder why hardware wallets matter
neon_drift RCE from just visiting a page is why browser-based wallets are a liability. metamask running in the same process as a compromised V8 engine is asking for trouble. extension wallets need separate process isolation
Bureau 121 funding their nuclear program with crypto theft. Its not just losing your bags, its geopolitics.
Marcus the geopolitical angle gets lost because people focus on the CVE. bureau 121 has a staff of maybe 6000+ people. crypto theft funds an estimated 50% of their weapons programs. every wallet drained is literally a missile component
the geopolitics angle gets underreported. every wallet drained is literally funding weapons programs. not just some random hack
Bureau 121 funding nuclear weapons with stolen crypto – that’s the real story here. Every drained wallet is literally helping build missiles.
Chromium versions before 128.0.6613.84. if you have not updated since august 2024 you are literally a sitting duck
The fact that they’re using V8 RCE from just visiting a page shows how sophisticated these attacks have become. Hardware wallets are no longer just for security maximalists.