A North Korean state-sponsored hacker group has been targeting crypto developers through coding challenges as part of a fake recruitment process.
Posing as recruiters on LinkedIn, the Slow Pisces group asks developers to participate in compromised Python and JavaScript projects, infecting their systems using custom malware and leveraging GitHub repositories.
Analysis from Unit 42, Palo Alto Networks’ threat intelligence wing, shows the group mainly used projects in Python or JavaScript – probably depending on whether the target applied for a front-end or back-end development role. There were also a couple of Java-based repositories, researchers found.
The hackers are using two newly discovered malware strains, RN Loader and RN Stealer, along with new evasion techniques including YAML deserialization and EJS escapeFunction.
RN Loader sends basic information about the victim’s device and operating system over HTTPS to the group’s C2 server, while RN Stealer is an infostealer that exfiltrates data and compressed data.
Distribution of the malware is tightly controlled, going only to carefully validated targets based on factors such as their IP address, their location, time and HTTP headers.
“We have observed Slow Pisces impersonating several organizations with these lures, primarily in the cryptocurrency sector,” said Unit 42.
“Slow Pisces presented targets with so-called coding challenges as projects from GitHub repositories. The repositories contained code adapted from open source projects, including applications for viewing and analyzing stock market data, statistics from European soccer leagues, weather data, and cryptocurrency prices.”
Everything you need to know about the Slow Pisces group
Slow Pisces – also known as Jade Sleet, TraderTraitor and Pukchong – has been linked to a number of high-profile cryptocurrency thefts, having reportedly stolen over $1 billion from the cryptocurrency sector in 2023.
Their methods included fake trading applications, malware distributed via the Node Package Manager (NPM), and supply chain compromises.
In December 2024, the FBI attributed the theft of $308 million from a Japan-based cryptocurrency company to the group, and it was also allegedly involved in the theft of $1.5 billion from a Dubai cryptocurrency exchange.
Unit 42 said it shared its findings with GitHub and LinkedIn, both of which have removed the malicious accounts and repositories.
“Based on public reports of cryptocurrency heists, this campaign appears highly successful and likely to persist in 2025,” said Unit 42.
“The most effective mitigation remains strict segregation of corporate and personal devices. This helps prevent the compromise of corporate systems from targeted social engineering campaigns.”
North Korean hackers are on a roll
This is just the latest in a series of North Korean campaigns based around fake recruitment. More usually, the technique is for the criminals to pose as job applicants.
Research shows they’ve been infiltrating organizations in both the US and Europe to raise money for the North Korean regime, steal proprietary data, install malware on corporate systems, and demand ransom payments.
The rise of fake IT workers has prompted security agencies to issue several warnings over the growing risks faced by enterprises. Some victims have been vocal about the issue, including cybersecurity training firm KnowBe4, which revealed last year it had been duped by a threat actor posing as an IT worker.
Similarly, the techniques highlighted by Unit 42 are by no means novel. Threat groups such as Alluring Pisces and Contagious Interview have also exploited LinkedIn to target jobseekers.
Recent analysis from Bitdefender shows the social networking platform has become a prime hunting ground for cyber criminals, with a host of groups leveraging the platform to dupe unsuspecting users.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
