Full Report
The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment. The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces, which is also known as Jade Sleet, PUKCHONG,
Analysis Summary
# Threat Actor: Slow Pisces (aka Jade Sleet, PUKCHONG, TraderTraitor, UNC4899)
## Attribution & Identity
* **Attribution:** North Korea-linked threat actor.
* **Aliases/Associated Groups:** Jade Sleet, PUKCHONG, TraderTraitor, UNC4899. It is noted as one of many North Korean threat activity clusters leveraging job opportunity lures, distinct from Operation Dream Job, Contagious Interview, and Alluring Pisces.
## Activity Summary
Slow Pisces is actively engaged in a malicious campaign primarily targeting developers, often within the cryptocurrency sector. The actor approaches targets via LinkedIn, posing as a potential employer. The initial engagement involves sending a document detailing a coding assignment, often hosted on GitHub. Victims are then enticed to run a compromised project (e.g., a Python project for viewing crypto prices or a "Cryptocurrency Dashboard" JavaScript project) which deploys custom malware. This approach allows the group to tightly control later stages, delivering payloads only to validated targets based on criteria like IP address, geolocation, time, and HTTP request headers. The actor was also assessed to be behind the massive Bybit hack in February 2025.
## Tactics, Techniques & Procedures
* **Initial Access/Execution:** Using job opportunity and coding assignment lures via LinkedIn.
* **Delivery Method:** Deceiving targets into downloading and running trojanized projects from GitHub.
* **Code Execution Concealment:** Employing **YAML deserialization** (using `yaml.load()`) to execute payloads, avoiding suspicious `eval` or `exec` functions.
* **Code Execution Concealment (Secondary):** Using the **Embedded JavaScript (EJS) templating tool** by passing C2 responses to the `ejs.render()` function to conceal arbitrary code execution.
* **Operational Security:** Payload delivery is heavily guarded, existing in memory only. Later-stage tooling is deployed only when necessary.
* **Payload Chain:** Multi-stage attack beginning with RN Loader, which communicates with the C2, receives a next-stage payload, and executes it.
## Targeting
* **Sectors:** Cryptocurrency, blockchain, online gambling, and cybersecurity companies. Developers are the primary persona targeted.
* **Geography:** Not explicitly stated for all targets, but past activity detailed by Mandiant targeted Brazilian firms. The payload delivery mechanism suggests active geographical filtering.
* **Victims:** Cryptocurrency developers encountered on LinkedIn, including instances related to the major Bybit hack.
## Tools & Infrastructure
* **Malware Families Used:**
* **RN Loader:** Executes first, sends basic system info over HTTPS to C2, and downloads the next stage.
* **RN Stealer:** An information stealer designed for Apple macOS systems.
* **Infrastructure:** C2 servers used to deliver payloads and receive initial victim metadata over HTTPS. (No specific C2 domains or IPs provided in the summary).
## Implications
Slow Pisces demonstrates sophisticated operational security, using memory-only payloads and multi-stage validation to ensure higher fidelity against specific, verified targets. Their continued focus on the lucrative cryptocurrency sector, incorporating complex deserialization techniques to evade detection, makes them a persistent threat to software development teams handling high-value digital assets.
## Mitigations
* Developers should exercise extreme caution when accepting proprietary coding assignments sourced from unsolicited contacts on platforms like LinkedIn, especially if they direct downloads from external sources like GitHub.
* Security solutions should be configured to monitor memory for suspicious execution patterns resulting from deserialization functions (`yaml.load()`) or template rendering engines (`ejs.render()`).
* Ensure robust endpoint detection and response (EDR) solutions are in place to detect in-memory execution and unauthorized data exfiltration over HTTPS.
* Be wary of job offers involving running unknown or trojanized third-party projects as part of an interview process.