North Korea-related threat actors, rated as behind the massive Buybit Hack in February 2025, are linked to malicious campaigns targeting developers to deliver new steeler malware under the guise of coding assignments.
This activity is attributed to a hacking group that slowly tracks as Pisces, also known as Jade Suite, Puk Chong, Trader Tri-writer, UNC4899, by Palo Alto Network Unit 42.
“The late Pisces, who worked with LinkedIn’s cryptocurrency developer, sends malware disguised as coding challenges, poses as a potential employer,” said security researcher Prashil Pattni. “These challenges require developers to run compromised projects and infect their systems with malware they call RN Loader and RN Steelers.”
Slow Pisces has a history of targeting developers in the cryptocurrency sector, and approach them on LinkedIn as part of the expected job opportunities and tempt them to open PDF documents detailing coding assignments hosted on GitHub.
In July 2023, Github revealed that employees working for blockchain, cryptocurrency, online gambling and cybersecurity companies had been chosen by threat actors to deceive them to run malicious NPM packages.
Then last June, Google-owned Mandiant could go into detail about the attacker’s tactics that first send benign PDF documents containing job statements on LinkedIn for suspected employment opportunities, and follow a skill survey if they express their interest.
The survey included instructions for completing the coding challenge by downloading the Trojanized Python project from Github. It is designed to contact a remote server to obtain an unspecified second stage payload, although it can be displayed on the surface of the cryptocurrency price, if certain conditions are met.
The multi-stage attack chain documented by unit 42 follows the same approach. Malicious payloads are only sent to validated targets, probably based on IP address, geolocation, time, and HTTP request headers.
“In contrast to a wide range of phishing campaigns, by focusing on individuals contacted via LinkedIn, the group can provide tighter control over the later stages of the campaign and deliver payloads only to anticipated victims,” says Pattni. “To avoid suspicious evaluation and exec functionality, Pisces slowly uses yaml deintervention to run the payload.”
The payload is configured to run a malware family named RN Loader. This will send basic information about the victim machine and operating system to the same server via HTTPS, receiving and executing the next stage Base64 encoded BLOB.
The newly downloaded malware is RN Stealer, an information steeler that can harvest sensitive information from infected Apple MACOS systems. This includes top-level content for system metadata, installed applications, directory listings, and victim’s home directory, iCloud keychain, SSH key storage, and configuration files for AWS, Kubernetes, and Google Cloud.
“Infostealer will gather more detailed victim information. It is likely that the attackers were used to determine whether continuous access was required,” Unit 42 said.
Similarly, target victims who apply for JavaScript roles will be encouraged to download the “Cryptocurrency Dashboard” project from GitHub. This employs a similar strategy in which the Command and Control (C2) server provides additional payloads only if the target meets certain criteria. However, the exact nature of the payload is unknown.
“The repository uses an embedded JavaScript (EJS) template tool and passes the response to the ejs.render() function from the C2 server,” Pattni pointed out. “Like the use of yaml.load(), this is another technique that Pisces slowly uses to hide the execution of arbitrary code from the C2 server. This method is only apparent when viewing a valid payload.”
Jade’s school is one of many North Korean threat activity clusters that utilize employment opportunity-themed lures as malware distributor vectors, others are dream jobs, infectious interviews, and fascinating Pisces.
“These groups do not have operational overlap, but these campaigns using similar early infection vectors are noteworthy,” Unit 42 concluded. “Slow Pisces stands out from their fellow campaigns in operational security. Payload delivery at each stage is in memory only, and touring in subsequent stages of the group will be deployed as needed.”
Source link
