North Korean threat actors, specifically the Lazarus Group, have been observed blending elements of their macOS malware campaigns RustBucket and KANDYKORN. Cybersecurity firm SentinelOne revealed that the Lazarus Group is now utilizing RustBucket droppers to deliver the KANDYKORN malware. RustBucket involves a backdoored version of a PDF reader app called SwiftLoader, serving as a conduit to load a next-stage malware written in Rust. In the KANDYKORN campaign, a crypto exchange platform's blockchain engineers were targeted via Discord, leading to a sophisticated multi-stage attack sequence deploying a full-featured memory resident remote access trojan. Additionally, a third macOS-specific malware called ObjCShellz has been linked to the RustBucket campaign, acting as a remote shell for executing commands sent from the attacker server. The blending of tactics and tools suggests a collaborative and adaptable approach among North Korean hacker groups, making it challenging for defenders to track and attribute malicious activities.