Unit 42 linked Jumpy Pisces, also known as Andariel or PLUTONIUM, to an intrusion that preceded Play ransomware deployment and assessed with moderate confidence that the North Korean state-sponsored group collaborated with Play ransomware operators or acted as an initial access broker. Investigators found that Jumpy Pisces gained access through a compromised user account in May 2024, then used SMB to spread Sliver and DTrack across hosts while maintaining C2 communication until shortly before ransomware deployment in September. Pre-ransomware activity later included credential harvesting, privilege escalation, EDR sensor uninstallation, Windows access-token abuse, PsExec use, and Play ransomware execution. Reported infrastructure and artifacts included Sliver C2 at americajobmail[.]site and 172.96.137[.]224, DTrack, Mimikatz, a browser-data stealer, and invalid code-signing certificates previously linked to Jumpy Pisces. The case matters because Unit 42 describes it as the first observed Jumpy Pisces use of existing ransomware infrastructure, expanding the group’s relevance from espionage and custom ransomware to broader ransomware operations.