Threat Overview

The Security Operations Center (SOC) has identified a new threat report published by AlienVault on April 14, 2025. This report details the activities of Slow Pisces, a North Korean state-sponsored threat group, which has launched a sophisticated campaign targeting cryptocurrency developers. The campaign leverages LinkedIn recruitment schemes and malicious coding challenges to deliver customized Python malware.

Threat Actor Group: Slow Pisces

Slow Pisces is known for its advanced cyber operations and has been linked to several high-profile attacks in the past. This group operates under state sponsorship, focusing on financial gain through cryptocurrency theft. Their tactics involve social engineering, phishing, and the use of customized malware tailored to evade detection.

Campaign Details

The campaign initiated by Slow Pisces targets developers working with cryptocurrencies. The attackers impersonate recruiters on LinkedIn, sending benign PDFs containing job descriptions followed by coding tasks. These tasks are linked to compromised GitHub repositories that contain malware disguised as legitimate projects. The malware utilizes techniques such as YAML deserialization and EJS rendering to execute malicious code on the victim’s system.

New Malware: RN Loader and RN Stealer

The campaign introduces two new types of malware: RN Loader and RN Stealer. These malware variants are designed to gather information from the victim’s system and potentially establish persistent access. The RN Loader is responsible for loading additional payloads, while the RN Stealer focuses on exfiltrating sensitive data.

Impact and Financial Loss

The sophistication of this campaign has reportedly led to over $1 billion in cryptocurrency theft in 2023 alone. This highlights the significant financial impact that state-sponsored threat groups can have on the cryptocurrency industry. The use of customized malware and advanced techniques makes it challenging for traditional security measures to detect and mitigate these threats.

Recommendations

To protect against such sophisticated attacks, organizations should implement the following recommendations:

1. Employee Training: Conduct regular training sessions to educate employees about social engineering tactics and phishing attempts. Emphasize the importance of verifying the authenticity of job offers and coding challenges received via LinkedIn or other professional networks.

2. Code Repository Security: Implement strict access controls and monitoring for code repositories such as GitHub. Regularly audit repositories for any suspicious activities or unauthorized changes.

3. Malware Detection: Deploy advanced malware detection tools that can identify and block customized Python malware. Ensure that these tools are regularly updated to keep up with the latest threats.

4. Network Segmentation: Segment the network to limit the spread of malware in case of a breach. This can help contain the damage and prevent unauthorized access to sensitive data.

5. Incident Response Plan: Develop and maintain an incident response plan that outlines the steps to take in case of a security breach. Regularly test this plan through simulations to ensure its effectiveness.

6. Collaboration with Security Communities: Share threat intelligence with other organizations and security communities. This collaborative approach can help identify emerging threats and develop effective countermeasures.

Conclusion

The campaign by Slow Pisces targeting cryptocurrency developers underscores the need for heightened vigilance and robust security measures. By understanding the tactics, techniques, and procedures (TTPs) used by this threat group, organizations can better prepare themselves to defend against similar attacks. Implementing the recommended security practices will help mitigate the risks associated with state-sponsored cyber threats.

For additional information, please refer to the following external references:

1. Unit 42 Palo Alto Networks: https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware
2. AlienVault OTX Pulse: https://otx.alienvault.com/pulse/67fce4dbd05e59dcedb21adc

Please check the following page for additional information:
https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware