Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

2024-09-18 • Paloalto Networks •

https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/

#PyPI #GleamingPisces #PondRAT

Thumbnail for Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Unit 42 links a poisoned PyPI package campaign to Gleaming Pisces, also known as Citrine Sleet, with medium confidence based on code similarities and prior attribution. Malicious packages such as real-ids, coloredtxt, beautifultext, and minisound executed encoded code after installation, ran bash commands, and downloaded Linux backdoors onto developer endpoints. The payload family, named PondRAT, shares function names, encryption keys, and command-handling patterns with POOLRAT, a macOS RAT associated with earlier AppleJeus activity. The campaign appears aimed at compromising developers and software supply chain vendors that could lead to downstream customer access.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	973f7939ea03fd2c9663dafc21bb968…	2024-02-29	2025-09-01
DOMAIN	jdkgradle.com	2024-02-29	2025-09-01
HASH	5e40d106977017b1ed235419b1e59ff…	2021-02-18	2025-09-01
HASH	3c8dbfcbb4fccbaf924f9a650a04cb4…	2024-09-09	2024-12-27
HASH	cbf4cfa2d3c3fb04fe349161e051a8c…	2024-09-09	2024-12-27
HASH	0b5db31e47b0dccfdec46e74c0e70c6…	2024-09-09	2024-12-27
HASH	5c907b722c53a5be256dc5f96b755bc…	2024-09-09	2024-12-27
HASH	bfd74b4a1b413fa785a49ca4a9c0594…	2024-09-09	2024-12-27
HASH	bce1eb513aaac344b5b8f7a9ba9c9e3…	2024-09-09	2024-12-27
HASH	f3b0da965a4050ab00fce727bb31e0f…	2024-09-09	2024-12-27
HASH	91eaf215be336eae983d069de16630c…	2021-02-18	2024-12-27
DOMAIN	rgedist.com	2023-04-24	2024-09-18
DOMAIN	rebelthumb.net	2022-12-01	2024-09-18

Related Actors

Gleaming Pisces

Paloalto Networks

Apple Jeus

First seen: Sep 2024

Last seen: May 2026

Related Reports

2024-09-09 • 100% Match

Threat Assessment: North Korean Threat Groups

Paloalto Networks

#SelectivePisces #SmoothOperator #RustBucket #CollectionRAT #KANDYKORN #ObjCShellz #Comebacker #SlowPisces #JumpyPisces #AlluringPisces #Fullhouse #GleamingPisces #OdicLoader #POOLRAT #PondRAT #SparklingPisces

Shares tags: GleamingPisces, PondRAT • Shares 13 IOCs • Same author: Paloalto Networks • Published within a month

2024-09-30 • 61% Match

Labyrinth Chollima Using Poisoned Python Packages to Deliver PondRAT

Poly Swarm

#LabyrinthChollima #PyPI #POOLRAT #PondRAT

Shares tags: PyPI, PondRAT • Shares 5 IOCs • Published within a month

2026-05-29 • 46% Match

Lazarus Expands Financial Espionage Operations With Memory-Resident RemotePE RAT

Poly Swarm

#Cryptocurrency #AppleJeus #Fileless #Finance #UNC4736 #FinancialGain #Espionage #CitrineSleet #Lazarus #GleamingPisces #POOLRAT #PondRAT #RemotePE #ThemeForestRAT #T1071.001 #T1027 #T1055 #T1562.006

Shares tags: GleamingPisces, PondRAT

2024-09-25 • 46% Match

North Korean Hackers Use PondRat Malware to Target Developers

Foresiet

#PyPI #PondRAT

Shares tags: PyPI, PondRAT • Published within a week

2025-01-20 • 38% Match

APTアクターの分類“中毒” ―Lazarus のサブグループ分類に見るアトリビューションの実務的課題―

JPCERT

#ContagiousInterview #MoonstoneSleet #Lazarus #GleamingPisces

Shares tag: GleamingPisces

2024-12-27 • 35% Match

Exposing the Steps of the Kimsuky APT Group

Picus Security

#Kimsuky #GoldDragon #xRAT #RandomQuery #T1082 #T1560 #T1071.001 #T1056.001 #T1059.004 #T1027 #T1059.005 #T1566.001 #T1547.001 #T1059.001 #T1003 #T1219 #T1055 #T1573.001 #T1074.001 #T1562.004 #T1048 #T1114.003

Shares 10 IOCs

« Back