Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
1 min read
Summary
The North Korean threat group, Slow Pisces, targeted cryptocurrency developers in a recent campaign, posing as potential employers and sending malware disguised as coding challenges.
The group used a variety of techniques, such as malware distributed via the Node Package Manager (NPM) and supply chain compromises to steal over $1 billion USD from the cryptocurrency sector in 2023.
The malware was disguised as coding challenges, delivered as fake job advertisements and interview preparation sheets.
It contained a project expecting developers to run a compromised project, infecting their systems using two pieces of malware named RN Loader and RN Stealer.
Analysis of command and control (C2) servers show that Slow Pisces used multiple techniques to evade detection and execute arbitrary code.
As a result, we have informed and worked with GitHub and LinkedIn to take down the relevant accounts and repositories, and have uploaded the malware samples to VirusTotal to aid the community in detection and awareness.
