Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
Contents
Executive Summary
Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored threat group primarily focused on generating revenue for the DPRK regime, typically by targeting large organizations in the cryptocurrency sector. This article analyzes their campaign that we believe is connected to recent cryptocurrency heists.
In this campaign, Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges. These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer.
The group reportedly stole over $1 billion USD from the cryptocurrency sector in 2023. They have achieved this using various methods, including fake trading applications, malware distributed via the Node Package Manager (NPM) and supply chain compromises.
In December 2024, the FBI attributed the theft of $308 million from a Japan-based cryptocurrency company to Slow Pisces. More recently, the group made headlines …
Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored threat group primarily focused on generating revenue for the DPRK regime, typically by targeting large organizations in the cryptocurrency sector. This article analyzes their campaign that we believe is connected to recent cryptocurrency heists.
In this campaign, Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges. These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer.
The group reportedly stole over $1 billion USD from the cryptocurrency sector in 2023. They have achieved this using various methods, including fake trading applications, malware distributed via the Node Package Manager (NPM) and supply chain compromises.
In December 2024, the FBI attributed the theft of $308 million from a Japan-based cryptocurrency company to Slow Pisces. More recently, the group made headlines …
IoC
http://54.39.83.151
http://146.19.173.29
http://getstockprice.info
http://79.137.248.193
http://91.193.18.201
http://91.234.199.90
http://23.254.230.253
http://146.70.125.120
http://192.248.145.210
http://api.fivebit.io
http://blockprices.io
http://weatherdatahub.org
http://update.jquerycloud.io
http://185.216.144.41
http://cdn.clublogos.io
http://185.236.231.224
http://192.236.199.57
https://en.stockslab.org/symbols/sp500
http://cdn.logoeye.net
http://185.62.58.74
http://5.133.9.252
http://chainanalyser.com
http://195.133.26.32
http://131.226.2.120
http://cdn.soccerlab.io
http://cdn.jqueryversion.net
http://146.70.124.70
http://45.141.58.40
http://en.stocksindex.org
https://en.wikipedia.org/wiki/Currency_pair
http://en.stockslab.org
http://70.34.245.118
http://146.70.88.126
http://cdn.leaguehub.net
http://getstockprice.com
http://skypredict.org
https://update.jquerycloud.io/api/v1
http://194.11.226.16
http://cdn.logosports.net
http://api.jquery-release.com
http://api.coinhar.io
https://api.coingecko.com/api/v3
http://api.ethzone.io
http://136.244.93.248
http://80.82.77.80
http://194.15.112.200
http://185.62.58.122
http://mavenradar.com
http://api.coinpricehub.io
http://indobit.io
http://91.103.140.191
http://api.thaibit.io
http://cdn.clubinfo.io
http://5.206.227.51
http://en.wfinance.org
http://38.180.62.135
http://api.bitzone.io
http://api.stockinfo.io
91.103.140.191
45.141.58.40
80.82.77.80
79.137.248.193
194.15.112.200
70.34.245.118
23.254.230.253
146.70.125.120
5.206.227.51
91.234.199.90
192.248.145.210
194.11.226.16
146.19.173.29
5.133.9.252
136.244.93.248
192.236.199.57
146.70.88.126
91.193.18.201
38.180.62.135
185.62.58.74
185.216.144.41
195.133.26.32
185.62.58.122
131.226.2.120
146.70.124.70
54.39.83.151
185.236.231.224
[email protected]
e89bf606fbed8f68127934758726bbb5e68e751427f3bcad3ddf883cb2b50fc7
47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f
937c533bddb8bbcd908b62f2bf48e5bc11160505df20fea91d9600d999eafa79
http://146.19.173.29
http://getstockprice.info
http://79.137.248.193
http://91.193.18.201
http://91.234.199.90
http://23.254.230.253
http://146.70.125.120
http://192.248.145.210
http://api.fivebit.io
http://blockprices.io
http://weatherdatahub.org
http://update.jquerycloud.io
http://185.216.144.41
http://cdn.clublogos.io
http://185.236.231.224
http://192.236.199.57
https://en.stockslab.org/symbols/sp500
http://cdn.logoeye.net
http://185.62.58.74
http://5.133.9.252
http://chainanalyser.com
http://195.133.26.32
http://131.226.2.120
http://cdn.soccerlab.io
http://cdn.jqueryversion.net
http://146.70.124.70
http://45.141.58.40
http://en.stocksindex.org
https://en.wikipedia.org/wiki/Currency_pair
http://en.stockslab.org
http://70.34.245.118
http://146.70.88.126
http://cdn.leaguehub.net
http://getstockprice.com
http://skypredict.org
https://update.jquerycloud.io/api/v1
http://194.11.226.16
http://cdn.logosports.net
http://api.jquery-release.com
http://api.coinhar.io
https://api.coingecko.com/api/v3
http://api.ethzone.io
http://136.244.93.248
http://80.82.77.80
http://194.15.112.200
http://185.62.58.122
http://mavenradar.com
http://api.coinpricehub.io
http://indobit.io
http://91.103.140.191
http://api.thaibit.io
http://cdn.clubinfo.io
http://5.206.227.51
http://en.wfinance.org
http://38.180.62.135
http://api.bitzone.io
http://api.stockinfo.io
91.103.140.191
45.141.58.40
80.82.77.80
79.137.248.193
194.15.112.200
70.34.245.118
23.254.230.253
146.70.125.120
5.206.227.51
91.234.199.90
192.248.145.210
194.11.226.16
146.19.173.29
5.133.9.252
136.244.93.248
192.236.199.57
146.70.88.126
91.193.18.201
38.180.62.135
185.62.58.74
185.216.144.41
195.133.26.32
185.62.58.122
131.226.2.120
146.70.124.70
54.39.83.151
185.236.231.224
[email protected]
e89bf606fbed8f68127934758726bbb5e68e751427f3bcad3ddf883cb2b50fc7
47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f
937c533bddb8bbcd908b62f2bf48e5bc11160505df20fea91d9600d999eafa79