Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
Essential information
- Published
- 14/04/2025 18:55
- Modified
- 14/04/2025 20:48
- Tags
- 2025-04-14 cryptocurrency dpkr infostealer north korea python rn loader rn stealer slow pisces social engineering yaml deserialization
- Related entities
- 41 observables, 1 intrusion sets (apt), 2 malware, 3 others
Description
Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses GitHub repositories containing adapted open-source projects in Python and JavaScript. The malware employs YAML deserialization and EJS rendering to execute arbitrary code from command-and-control servers. Slow Pisces has reportedly stolen over $1 billion from the cryptocurrency sector in 2023, using various methods including fake trading applications and supply chain compromises. The group's operational security is noteworthy, with payloads existing only in memory and deployed selectively.