The North Korea-linked risk actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious marketing campaign that targets builders to ship new stealer malware below the guise of a coding project.
The exercise has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Sluggish Pisces, which can also be recognized as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899.
“Sluggish Pisces engaged with cryptocurrency builders on LinkedIn, posing as potential employers and sending malware disguised as coding challenges,” safety researcher Prashil Pattni said. “These challenges require builders to run a compromised venture, infecting their programs utilizing malware we now have named RN Loader and RN Stealer.”
Sluggish Pisces has a historical past of focusing on builders, sometimes within the cryptocurrency sector, by approaching them on LinkedIn as a part of a supposed job alternative and engaging them into opening a PDF doc that particulars the coding project hosted on GitHub.
In July 2023, GitHub revealed that workers working at blockchain, cryptocurrency, on-line playing, and cybersecurity firms had been singled out by the risk actor, deceiving them into operating malicious npm packages.
Then final June, Google-owned Mandiant detailed the attackers’ modus operandi of first sending to targets on LinkedIn a benign PDF doc containing a job description for an alleged job alternative and following it up with a abilities questionnaire ought to they categorical curiosity.
The questionnaire included directions to finish a coding problem by downloading a trojanized Python venture from GitHub that, whereas ostensibly able to viewing cryptocurrency costs, was designed to contact a distant server to fetch an unspecified second-stage payload if sure circumstances are met.
The multi-stage assault chain documented by Unit 42 follows the identical strategy, with the malicious payload despatched solely to validated targets, seemingly primarily based on IP deal with, geolocation, time, and HTTP request headers.
“Specializing in people contacted through LinkedIn, as against broad phishing campaigns, permits the group to tightly management the later phases of the marketing campaign and ship payloads solely to anticipated victims,” Pattni stated. “To keep away from the suspicious eval and exec features, Sluggish Pisces makes use of YAML deserialization to execute its payload.”
The payload is configured to execute a malware household named RN Loader, which sends primary details about the sufferer machine and working system over HTTPS to the identical server and receives and executes a next-stage Base64-encoded blob.
The newly downloaded malware is RN Stealer, an info stealer able to harvesting delicate info from contaminated Apple macOS programs. This consists of system metadata, put in functions, listing itemizing, and the top-level contents of the sufferer’s residence listing, iCloud Keychain, saved SSH keys, and configuration information for AWS, Kubernetes, and Google Cloud.
“The infostealer gathers extra detailed sufferer info, which attackers seemingly used to find out whether or not they wanted continued entry,” Unit 42 stated.
Targeted victims who apply for a JavaScript position, likewise, are urged to obtain a “Cryptocurrency Dashboard” venture from GitHub that employs an analogous technique the place the command-and-control (C2) server solely serves further payloads when the targets meet sure standards. Nonetheless, the precise nature of the payload is unknown.
“The repository makes use of the Embedded JavaScript (EJS) templating tool, passing responses from the C2 server to the ejs.render() operate,” Pattni identified. “Like using yaml.load(), that is one other method Sluggish Pisces employs to hide execution of arbitrary code from its C2 servers, and this technique is maybe solely obvious when viewing a legitimate payload.”
Jade Sleet is one among the many many North Korean threat activity clusters to leverage job opportunity-themed lures as a malware distributor vector, the others being Operation Dream Job, Contagious Interview, and Alluring Pisces.
“These teams function no operational overlaps. Nonetheless, these campaigns making use of comparable preliminary an infection vectors is noteworthy,” Unit 42 concluded. “Sluggish Pisces stands out from their friends’ campaigns in operational safety. Supply of payloads at every stage is closely guarded, present in reminiscence solely. And the group’s later stage tooling is barely deployed when essential.”
