A North Korean state-sponsored hacker group has been targeting crypto developers through coding challenges as part of a fake recruitment process.
Posing as recruiters on LinkedIn, the Slow Pisces group asks developers to participate in compromised Python and JavaScript projects, infecting their systems using custom malware and leveraging GitHub repositories.
Analysis from Unit 42, Palo Alto Networks’ threat intelligence wing, shows the group mainly used projects in Python or JavaScript - probably depending on whether the target applied for a front-end or back-end development role. There were also a couple of Java-based repositories, researchers found.
The hackers are using two newly discovered malware strains, RN Loader and RN Stealer, along with new evasion techniques including YAML deserialization and EJS escapeFunction.
RN Loader sends basic information about the victim's device and operating system over HTTPS to the group's C2 server, while RN Stealer is an infostealer that exfiltrates data and compressed data.
Distribution of the malware is tightly controlled, going only to carefully validated targets based on factors such as their IP address, their location, time and HTTP headers.
"We have observed Slow Pisces impersonating several organizations with these lures, primarily in the cryptocurrency sector," said Unit 42.
"Slow Pisces presented targets with so-called coding challenges as projects from GitHub repositories. The repositories contained code adapted from open source projects, including applications for viewing and analyzing stock market data, statistics from European soccer leagues, weather data, and cryptocurrency prices."
Everything you need to know about the Slow Pisces group
Slow Pisces - also known as Jade Sleet, TraderTraitor and Pukchong - has been linked to a number of high-profile cryptocurrency thefts, having reportedly stolen over $1 billion from the cryptocurrency sector in 2023.
Their methods included fake trading applications, malware distributed via the Node Package Manager (NPM), and supply chain compromises.
In December 2024, the FBI attributed the theft of $308 million from a Japan-based cryptocurrency company to the group, and it was also allegedly involved in the theft of $1.5 billion from a Dubai cryptocurrency exchange.
Unit 42 said it shared its findings with GitHub and LinkedIn, both of which have removed the malicious accounts and repositories.
"Based on public reports of cryptocurrency heists, this campaign appears highly successful and likely to persist in 2025," said Unit 42.
"The most effective mitigation remains strict segregation of corporate and personal devices. This helps prevent the compromise of corporate systems from targeted social engineering campaigns."
North Korean hackers are on a roll
This is just the latest in a series of North Korean campaigns based around fake recruitment. More usually, the technique is for the criminals to pose as job applicants.
Research shows they've been infiltrating organizations in both the US and Europe to raise money for the North Korean regime, steal proprietary data, install malware on corporate systems, and demand ransom payments.
The rise of fake IT workers has prompted security agencies to issue several warnings over the growing risks faced by enterprises. Some victims have been vocal about the issue, including cybersecurity training firm KnowBe4, which revealed last year it had been duped by a threat actor posing as an IT worker.
Similarly, the techniques highlighted by Unit 42 are by no means novel. Threat groups such as Alluring Pisces and Contagious Interview have also exploited LinkedIn to target jobseekers.
Recent analysis from Bitdefender shows the social networking platform has become a prime hunting ground for cyber criminals, with a host of groups leveraging the platform to dupe unsuspecting users.
MORE FROM ITPRO
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malwareNews Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
-
A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprisesNews The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
