Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

2025-04-14 Paloalto Networks

https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/

Thumbnail for Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, also known as Jade Sleet, TraderTraitor, or PUKCHONG, is described as a North Korean state-sponsored group targeting cryptocurrency developers through recruiter impersonation on LinkedIn. The campaign sent job descriptions and coding challenges that led victims to GitHub repositories adapted from legitimate Python, JavaScript, and occasional Java projects, with malicious behavior hidden in otherwise plausible developer tasks. In Python repositories, a Slow Pisces-controlled endpoint such as en.stockslab.org returned benign-looking data to most requests but could deliver YAML payloads to validated targets, abusing unsafe PyYAML yaml.load() deserialization. The payload chain created ~/Public/__init__.py, executed RN Loader, communicated with the same C2 over HTTPS, and could deliver RN Stealer or other payloads through a command loop. The activity matters because it shows a controlled, developer-focused infection chain aligned with DPRK cryptocurrency theft operations and includes payload hashes for detection.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN getstockprice.com 2025-03-11 2025-12-10
IPv4 70.34.245.118 2025-03-11 2025-08-06
DOMAIN getstockprice.info 2025-02-23 2025-08-06
DOMAIN cdn.clubinfo.io 2025-02-23 2025-08-06
IPv4 131.226.2.120 2025-02-23 2025-08-06
HASH 937c533bddb8bbcd908b62f2bf48e5b… 2025-04-14 2025-05-06
HASH e89bf606fbed8f68127934758726bbb… 2025-04-14 2025-05-06
HASH 47e997b85ed3f51d2b1d37a6a61ae72… 2025-04-14 2025-05-06
URL https://api.coingecko.com/api/v3 2025-04-14 2025-04-14
URL https://en.stockslab.org/symbol… 2025-04-14 2025-04-14
DOMAIN api.jquery-release.com 2025-04-14 2025-04-14
DOMAIN api.bitzone.io 2025-04-14 2025-04-14
DOMAIN cdn.leaguehub.net 2025-04-14 2025-04-14
DOMAIN api.thaibit.io 2025-04-14 2025-04-14
DOMAIN cdn.logosports.net 2025-04-14 2025-04-14
DOMAIN mavenradar.com 2025-04-14 2025-04-14
DOMAIN api.coinpricehub.io 2025-04-14 2025-04-14
DOMAIN api.fivebit.io 2025-04-14 2025-04-14
DOMAIN skypredict.org 2025-04-14 2025-04-14
DOMAIN indobit.io 2025-04-14 2025-04-14
DOMAIN en.stockslab.org 2025-04-14 2025-04-14
DOMAIN cdn.soccerlab.io 2025-04-14 2025-04-14
DOMAIN api.coinhar.io 2025-04-14 2025-04-14
DOMAIN cdn.logoeye.net 2025-04-14 2025-04-14
DOMAIN cdn.jqueryversion.net 2025-04-14 2025-04-14
DOMAIN blockprices.io 2025-04-14 2025-04-14
DOMAIN api.coingecko.com 2025-04-14 2025-04-14
DOMAIN api.ethzone.io 2025-04-14 2025-04-14
DOMAIN weatherdatahub.org 2025-04-14 2025-04-14
DOMAIN cdn.clublogos.io 2025-04-14 2025-04-14
DOMAIN chainanalyser.com 2025-04-14 2025-04-14
IPv4 79.137.248.193 2025-04-14 2025-04-14
IPv4 192.248.145.210 2025-04-14 2025-04-14
IPv4 194.11.226.16 2025-04-14 2025-04-14
IPv4 185.62.58.122 2025-04-14 2025-04-14
IPv4 91.193.18.201 2025-04-14 2025-04-14
IPv4 23.254.230.253 2025-04-14 2025-04-14
IPv4 91.234.199.90 2025-04-14 2025-04-14
IPv4 91.103.140.191 2025-04-14 2025-04-14
IPv4 54.39.83.151 2025-04-14 2025-04-14
IPv4 192.236.199.57 2025-04-14 2025-04-14
IPv4 45.141.58.40 2025-04-14 2025-04-14
IPv4 185.216.144.41 2025-04-14 2025-04-14
IPv4 38.180.62.135 2025-04-14 2025-04-14
IPv4 146.70.125.120 2025-04-14 2025-04-14
IPv4 80.82.77.80 2025-04-14 2025-04-14
IPv4 5.133.9.252 2025-04-14 2025-04-14
IPv4 194.15.112.200 2025-04-14 2025-04-14
IPv4 146.70.124.70 2025-04-14 2025-04-14
IPv4 146.70.88.126 2025-04-14 2025-04-14
IPv4 146.19.173.29 2025-04-14 2025-04-14
IPv4 185.62.58.74 2025-04-14 2025-04-14
DOMAIN en.stocksindex.org 2025-03-11 2025-04-14
DOMAIN en.wfinance.org 2025-03-11 2025-04-14
DOMAIN api.stockinfo.io 2025-03-11 2025-04-14
IPv4 136.244.93.248 2025-03-11 2025-04-14
IPv4 195.133.26.32 2025-03-11 2025-04-14
IPv4 5.206.227.51 2025-03-11 2025-04-14
IPv4 185.236.231.224 2025-03-11 2025-04-14

Related Actors

Related Reports

« Back