The North Korean-linked risk actor who was deemed to be responsible for the large Bybit hack in February 2025 has been linked to a harmful campaign that aims to distribute new stealer malware to developers under the guise of a coding assignment.
Palo Alto Networks Unit 42 has linked the action to a phishing organization it monitors as Delayed Pisces, which are also known as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899.
According to safety scientist Prashil Pattni,” Slow Pisces engaged with crypto engineers on Linked In, posing as potential employers and sending malware disguised as coding problems.” Developers must run a damaged project that infects their systems with malware called RN Loader and RN Stealer in order to meet these requirements.
Slow Pisces has a history of contacting developers on LinkedIn as part of a sworn job opportunity and persuading them to sign a PDF document that contains the details of the coding assignment hosted on Git Hub, a practice that is typically practiced in the cryptocurrency sector.
In July 2023, GitHub made it known that the risk actor had targeted employees at businesses that deal with blockchain, cryptocurrency, online gambling, and cybersecurity, tricking them into installing harmful npm packages.
The attackers ‘ method of second giving targets on LinkedIn a harmless PDF file with a job description for an alleged job opportunity and then following it up with a skills questionnaire if they show interest, was by Google-owned Mandiant in June.
While ostensibly capable of viewing cryptocurrency prices, the questionnaire included instructions to download a trojanized Python project from GitHub that, if certain conditions are met, could contact a remote server to retrieve an unspecified second-stage payload.
The malicious payload is only sent to validated targets, likely based on IP address, geolocation, time, and HTTP request headers, as described by Unit 42’s multi-stage attack chain, which follows the same strategy.
As opposed to broad phishing campaigns, focusing on individuals contacted via LinkedIn allows the group to tightly control the later stages of the campaign and deliver payloads only to expected victims, Pattni said. Slow Pisces uses to execute its payload, according to the statement” to avoid the suspicious eval and exec functions.”
The payload is set up to run a malware family called RN Loader, which sends fundamental information about the victim’s machine and operating system over HTTPS to the same server, receives and executes a Base64-encoded blob at the next stage, and then executes a malware family.
An information stealer capable of stealing sensitive data from infected Apple macOS systems is RN Stealer, the newly downloaded malware. This includes configuration files for AWS, Kubernetes, and Google Cloud, as well as system metadata, installed applications, directory listings, and the top-level contents of the victim’s home directory, iCloud Keychain, stored SSH keys, and configuration files.
According to Unit 42,” The infostealer gathers more detailed victim information, which attackers likely used to determine whether they needed continued access.”
Targeted victims who apply for a JavaScript role are also urged to download a” Cryptocurrency Dashboard” project from GitHub that uses a similar approach where the command-and-control ( C2 ) server only provides additional payloads when the targets meet a set of requirements. The precise nature of the payload is not known, though.
The repository transmits C2 server responses to the ejs using the Embedded JavaScript ( EJS) templating tool. “render ( ) function,” Pattni remarked. ” Like the yaml is used. This method is another way Slow Pisces uses to conceal the execution of arbitrary code from its C2 servers, and it may only be seen when viewed when a payload is valid.
One of the many that uses job-related lures as a malware distributor vector is Jade Sleet, which is a combination of , , and .
” These groups don’t have any operational overlaps. These campaigns, however, made use of comparable initial infection vectors, were noteworthy,” Unit 42 declared. Slow Pisces stands out from their competition’s campaigns in terms of operational security. At each stage, payload delivery is tightly monitored and only remembered. And the tooling for the group’s later stage is only used when it is required.