Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors
Essential information
- Published
- 04/05/2026 06:08
- Modified
- 04/05/2026 14:59
- Tags
- 2024-09-19 2026-05-04 applejeus badcall citrine sleet cryptocurrency macos pondrat poolrat pypi rat supply chain attack
- Related entities
- 3 vulnerabilities (cve), 16 observables, 1 intrusion sets (apt), 22 techniques (mitre), 5 malware, 5 others
Description
An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance General Bureau. The campaign delivered PondRAT, identified as a lighter version of the known POOLRAT remote administration tool. Multiple malicious packages including real-ids, coloredtxt, beautifultext, and minisound were used to establish an evasive infection chain. The threat actor aims to compromise supply chain vendors through developer endpoints to ultimately access their customers' systems. Code analysis reveals significant similarities between PondRAT and previously attributed Gleaming Pisces malware, including identical function names, encryption keys, and execution flows. Both Linux and macOS variants were identified, demonstrating the group's expanding cross-platform capabilities targeting the cryptocurrenc...
External references
- https://otx.alienvault.com/pulse/69f837f3d2d59a26f6d3acf3
- https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?pdf=print&lg=en&_wpnonce=7681ade9ed
- https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat
- https://otx.alienvault.com/pulse/66ebd3b71f5a7ab8302fcfa5