In February 2025, a massive hack involving the cryptocurrency exchange Bybit caught the cybersecurity community’s attention, allegedly linked to a North Korea-based hacking group. This group has now been connected to a sophisticated campaign targeting developers with malicious coding assignments designed to spread new stealer malware. Palo Alto Networks’ Unit 42 identified this threat actor as Slow Pisces, which operates under various aliases like Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899. What’s more, Slow Pisces has shown a disturbing ability to engage with developers, using platforms like LinkedIn to deliver malware disguised as coding challenges. This approach continues a long-standing trend of cyberattacks aimed at the cryptocurrency sector, with a clear focus on executing high-quality, low-profile attacks that avoid detection.
Slow
The attack chain mirrors prior campaigns by Slow Pisces, a group with a history of targeting cryptocurrency professionals through deceptive methods. In 2023, GitHub highlighted that blockchain, online gambling, cybersecurity, and cryptocurrency employees were being targeted with trojanized npm packages. Google’s Mandiant also outlined how the group used fake job offers in June 2023, followed by the delivery of trojanized Python projects designed to infect the victim’s machine with secondary payloads.
This campaign follows the same multi-stage approach, with malicious payloads delivered only to carefully selected victims, based on detailed data such as IP addresses, geolocation, time, and HTTP request headers. This targeting strategy is designed to keep the attack focused, precise, and difficult to detect.
What Undercode Says:
The continuous evolution of cyberattacks, particularly those executed by state-sponsored threat actors like North Korea, points to an increasingly sophisticated landscape in which developers are prime targets. Slow Pisces, with its ability to deliver malware via seemingly legitimate job offers, underscores the risks faced by professionals in high-stakes industries like cryptocurrency, cybersecurity, and blockchain.
What makes this campaign particularly worrying is the method of delivery. Instead of using large-scale, indiscriminate phishing attacks, Slow Pisces focuses on reaching out to specific individuals, often with a personalized message on platforms like LinkedIn. This selective approach allows the group to keep its operations tightly controlled, ensuring that the malware payloads are only executed on machines that meet certain criteria.
The use of YAML deserialization and EJS templating tools as part of the attack further highlights the advanced techniques employed by Slow Pisces to evade detection. These methods allow them to conceal malicious code execution, making it much harder for traditional security tools to identify and neutralize the threat before it reaches its target.
RN Loader and RN Stealer are designed to steal critical information from infected machines, particularly Apple macOS systems. The malware collects a wealth of data, from system metadata to iCloud Keychain and SSH keys, AWS credentials, and even Google Cloud configurations. By doing so, the attackers can gain deep insight into the victim’s infrastructure and potentially exploit cloud resources or gain continued access to the system.
The slow and methodical nature of this attack is also worth noting. Instead of overwhelming targets with an immediate onslaught of malware, Slow Pisces takes a more strategic approach, deploying its tools only when certain conditions are met. This operational security helps the group stay under the radar for longer, complicating efforts by cybersecurity teams to prevent or respond to these attacks.
Moreover, the fact that Slow Pisces is only one of several North Korean cyber-attack groups using job-themed lures to distribute malware adds another layer of complexity to the situation. Groups like Operation Dream Job, Contagious Interview, and Alluring Pisces operate independently but utilize similar techniques, which indicates that North Korea sees significant value in these types of attacks. While each group has its own operational goals, the use of job offers as an infection vector seems to be a shared strategy.
These ongoing campaigns suggest a growing trend of North Korean cyber actors targeting the professional development community, particularly those involved in high-value sectors like cryptocurrency and cloud computing. The exploitation of these professionals is not only an attack on individual systems but also an effort to infiltrate larger infrastructures that could provide further access to sensitive information and financial assets.
Fact Checker Results:
- Data validation: Information sourced from credible cybersecurity institutions like Palo Alto Networks and Mandiant supports the attribution of the attack to Slow Pisces and links it to the Bybit hack.
- Methodology confirmed: The multi-stage attack sequence, including the use of LinkedIn for job offers and the deployment of RN Stealer, is consistent with past campaigns by Slow Pisces and similar threat groups.
- Targeting analysis: The targeting of cryptocurrency developers aligns with the group’s focus on high-value sectors, including blockchain and cloud infrastructure, highlighting their growing sophistication.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
