In a recent report released on April 14, Unit 42, the research branch of Palo Alto Networks, revealed startling new information about a hacking group known as Slow Pisces, which is believed to be affiliated with the North Korean regime. The report outlined a malicious campaign initiated by Slow Pisces in 2024, in which the hackers posed as recruiters on LinkedIn in an attempt to target developers working on cryptocurrency projects.
The nefarious campaign orchestrated by Slow Pisces involved sending benign PDFs with job descriptions to potential targets who were primarily involved in cryptocurrency projects. If the targets expressed interest in the job opportunity, the hackers then presented them with coding challenges that included tasks outlined in question sheets. These question sheets not only included generic software development tasks but also posed a “real project” coding challenge that directed the targets to GitHub repositories.
The repositories on GitHub contained code adapted from various open-source projects, ranging from applications related to stock market data analysis to cryptocurrency price tracking. The researchers at Unit 42 noted that the group used projects primarily in Python and JavaScript, depending on the role the target applied for. They also discovered instances of Java-based repositories, with some impersonating a cryptocurrency application called jCoin.
However, the repositories harbored a dark secret – they distributed two new malware payloads identified by Unit 42 as RN Loader and RN Stealer. Slow Pisces employed sophisticated tactics to evade traditional malware detection methods, ensuring that only carefully validated targets received the malicious payloads. The RN Loader sent basic information about the victim’s machine and operating system to the hackers’ command-and-control server, while the RN Stealer served as an infostealer, extracting data from the victim’s device.
The researchers were able to recover the script for an RN Stealer sample from a macOS system, which was capable of extracting a wide range of sensitive information specific to macOS devices. While the full attack chain for JavaScript repositories remained elusive, the threat posed by Slow Pisces was undeniable.
Slow Pisces’s utilization of LinkedIn and GitHub as lures mirrors tactics employed by other North Korean threat actors, indicating a trend among state-sponsored hacking groups in the region. What sets Slow Pisces apart is its stringent operational security measures and advanced concealment methods, making it challenging for cryptocurrency developers to detect the threats.
Reports suggest that Slow Pisces has been successful in its campaign, highlighting the importance of maintaining strict segregation between corporate and personal devices to thwart targeted social engineering attacks. Unit 42 confirmed that both LinkedIn and GitHub have taken down the relevant accounts and repositories associated with the malicious campaign.
Slow Pisces, also known as Jade Sleet, TraderTraitor, and Pukchong, has a notorious reputation for targeting large organizations, particularly in the cryptocurrency industry, to generate revenue for the North Korean regime. The group has been linked to various high-profile cryptocurrency heists, including the theft of over $1 billion in 2023 and the recent $1.5 billion heist from a Dubai cryptocurrency exchange.
The malicious activities orchestrated by Slow Pisces serve as a stark reminder of the persistent threat posed by state-sponsored hacking groups and the critical need for vigilance within the cryptocurrency sector. As the cybersecurity landscape continues to evolve, developers and organizations must remain vigilant and implement robust security measures to protect against such sophisticated cyber threats.