Cybersecurity researchers have uncovered a sophisticated campaign by North Korean state-sponsored threat actors targeting cryptocurrency developers with malicious coding challenges.
According to a report released today by Palo Alto Networks’ Unit 42, the group known as Slow Pisces (also tracked as Jade Sleet, TraderTraitor, and PUKCHONG) has been engaging in social engineering attacks via LinkedIn, posing as recruiters to deliver custom malware.
Deceptive Recruitment Strategy
The threat actors begin by approaching cryptocurrency developers on LinkedIn with job opportunities, sending benign PDF files containing job descriptions.
If targets respond positively, they receive coding challenges that direct them to GitHub repositories containing malicious code.
These repositories appear legitimate, often adapted from actual open-source projects such as cryptocurrency dashboards or stock market analyzers.
While most of the code functions normally, the repositories contain concealed malicious components that connect to command-and-control servers operated by the attackers.
“Slow Pisces stands out from their peers’ campaigns in operational security.
Delivery of payloads at each stage is heavily guarded, existing in memory only.
And the group’s later stage tooling is only deployed when necessary,” notes the report.
Advanced Technical Techniques
The attackers employ sophisticated methods to hide their malicious activities, including YAML deserialization in Python repositories and EJS escape function techniques in JavaScript projects.
These methods allow them to execute arbitrary code while evading detection.
When targeting Python developers, Slow Pisces delivers malware that researchers have named “RN Loader” and “RN Stealer.”
The RN Stealer payload is designed to extract sensitive information from victims’ machines, including:
- Login credentials from macOS keychain databases
- SSH keys
- Configuration files for cloud services like AWS and Google Cloud
- Directory listings and contents of victims’ home directories1
Financial Impact and Attribution
The group reportedly stole over $1 billion from cryptocurrency organizations in 2023 alone.
Most recently, they’ve been linked to the theft of $1.5 billion from a Dubai cryptocurrency exchange.
The FBI previously attributed a $308 million theft from a Japan-based cryptocurrency company to the same group.
Palo Alto Networks has shared their findings with GitHub and LinkedIn, who have removed the malicious accounts.
They’ve also disclosed indicators of compromise to help organizations detect and mitigate similar attacks.
Indicators of Compromise
| Domain | IP Address | First Seen | Last Seen | Repository Type |
|---|---|---|---|---|
| getstockprice[.]com | 70.34.245[.]118 | 2025-02-03 | 2025-02-20 | Python |
| cdn[.]clubinfo[.]io | 5.206.227[.]51 | 2025-01-21 | 2025-02-19 | Python |
| update[.]jquerycloud[.]io | 192.236.199[.]57 | 2024-07-03 | 2024-08-22 | JavaScript |
| en[.]stockslab[.]org | 91.103.140[.]191 | 2024-08-19 | 2024-09-12 | Python |
| api[.]coinpricehub[.]io | 45.141.58[.]40 | 2024-05-06 | 2024-08-06 | Java |
Security experts recommend the strict segregation of corporate and personal devices as the most effective mitigation against such targeted social engineering campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=According to a report released today by Palo Alto Networks' Unit 42, the group known as Slow Pisces (also tracked as Jade Sleet.){kind=link}