Full Report
2025-04-14 • Palo Alto Networks Unit 42 • Prashil Pattni • py.rn_stealer Open article on Malpedia
Analysis Summary
# Threat Actor: Slow Pisces
## Attribution & Identity
The threat actor group is identified as Slow Pisces. No specific state attribution or known aliases/major associated groups were detailed in the provided context snippet, other than its activity description linked to the malware `py.rn_stealer`.
## Activity Summary
Slow Pisces is actively targeting developers through deceptive "coding challenges." The group is introducing and utilizing new, customized Python malware in these operations.
## Tactics, Techniques & Procedures
Specific TTPs were not detailed in the provided context snippet (e.g., initial access methods, lateral movement techniques). The primary tactic identified involves social engineering via misleading coding challenges.
## Targeting
- **Sectors:** Developers (implied audience of the coding challenges).
- **Geography:** Not specified in the context.
- **Victims:** Specific organizations were not mentioned, but the target pool is developers engaging with their content.
## Tools & Infrastructure
- **Malware families used:** Customized Python malware; linked to `py.rn_stealer`.
- **Infrastructure (C2, domains, IPs):** Not specified in the context.
## Implications
Slow Pisces represents a targeted threat against the software development community, leveraging professional channels (coding challenges) for compromise, suggesting a potential intent to steal source code, intellectual property, or developer credentials.
## Mitigations
Developers should be cautious when engaging with unsolicited coding challenges, particularly those that require execution of provided solutions or interact with external resources, as these may serve as delivery mechanisms for malware like the customized Python tools observed.