Labyrinth Chollima Using Poisoned Python Packages to Deliver PondRAT
Contents
Related Families: PondRAT, PoolRAT
Verticals Targeted: Software Development
Executive Summary
North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver PondRAT, a backdoor that targets MacOS and Linux systems.
Key Takeaways
- North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver PondRAT, a backdoor that targets MacOS and Linux systems.
- In this supply chain attack, the poisoned Python packages were uploaded to the PyPI open source repository.
- The threat actor group’s motivation was likely to obtain access to supply chain vendors via developer endpoints, and in turn gain access to the vendor’s customers’ endpoints.
What is PondRAT?
North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver Linux and MacOS backdoors. Palo Alto’s Unit 42 recently reported on this activity.
In the ongoing campaign, Labyrinth Chollima used infected Python software packages to deliver PondRAT. The Python packages were uploaded …
Verticals Targeted: Software Development
Executive Summary
North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver PondRAT, a backdoor that targets MacOS and Linux systems.
Key Takeaways
- North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver PondRAT, a backdoor that targets MacOS and Linux systems.
- In this supply chain attack, the poisoned Python packages were uploaded to the PyPI open source repository.
- The threat actor group’s motivation was likely to obtain access to supply chain vendors via developer endpoints, and in turn gain access to the vendor’s customers’ endpoints.
What is PondRAT?
North Korea nexus threat actor group Labyrinth Chollima was observed using poisoned Python packages to deliver Linux and MacOS backdoors. Palo Alto’s Unit 42 recently reported on this activity.
In the ongoing campaign, Labyrinth Chollima used infected Python software packages to deliver PondRAT. The Python packages were uploaded …
IoC
0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7
bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b
f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703
3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e
5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456
bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b
f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703
3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e
5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456