A North Korean state-sponsored hacker group has been targeting crypto developers through coding challenges as part of a fake recruitment process.
Posing as recruiters on LinkedIn, the Slow Pisces group asks developers to participate in compromised Python and JavaScript projects, infecting their systems using custom malware and leveraging GitHub repositories.
Analysis from Unit 42, Palo Alto Networks’ threat intelligence wing, shows the group mainly used projects in Python or JavaScript - probably depending on whether the target applied for a front-end or back-end development role. There were also a couple of Java-based repositories, researchers found.
The hackers are using two newly discovered malware strains, RN Loader and RN Stealer, along with new evasion techniques including YAML deserialization and EJS escapeFunction.
RN Loader sends basic information about the victim's device and operating system over HTTPS to the group's C2 server, while RN Stealer is an infostealer that exfiltrates data and compressed data.
Distribution of the malware is tightly controlled, going only to carefully validated targets based on factors such as their IP address, their location, time and HTTP headers.
"We have observed Slow Pisces impersonating several organizations with these lures, primarily in the cryptocurrency sector," said Unit 42.
"Slow Pisces presented targets with so-called coding challenges as projects from GitHub repositories. The repositories contained code adapted from open source projects, including applications for viewing and analyzing stock market data, statistics from European soccer leagues, weather data, and cryptocurrency prices."
Everything you need to know about the Slow Pisces group
Slow Pisces - also known as Jade Sleet, TraderTraitor and Pukchong - has been linked to a number of high-profile cryptocurrency thefts, having reportedly stolen over $1 billion from the cryptocurrency sector in 2023.
Their methods included fake trading applications, malware distributed via the Node Package Manager (NPM), and supply chain compromises.
In December 2024, the FBI attributed the theft of $308 million from a Japan-based cryptocurrency company to the group, and it was also allegedly involved in the theft of $1.5 billion from a Dubai cryptocurrency exchange.
Unit 42 said it shared its findings with GitHub and LinkedIn, both of which have removed the malicious accounts and repositories.
"Based on public reports of cryptocurrency heists, this campaign appears highly successful and likely to persist in 2025," said Unit 42.
"The most effective mitigation remains strict segregation of corporate and personal devices. This helps prevent the compromise of corporate systems from targeted social engineering campaigns."
North Korean hackers are on a roll
This is just the latest in a series of North Korean campaigns based around fake recruitment. More usually, the technique is for the criminals to pose as job applicants.
Research shows they've been infiltrating organizations in both the US and Europe to raise money for the North Korean regime, steal proprietary data, install malware on corporate systems, and demand ransom payments.
The rise of fake IT workers has prompted security agencies to issue several warnings over the growing risks faced by enterprises. Some victims have been vocal about the issue, including cybersecurity training firm KnowBe4, which revealed last year it had been duped by a threat actor posing as an IT worker.
Similarly, the techniques highlighted by Unit 42 are by no means novel. Threat groups such as Alluring Pisces and Contagious Interview have also exploited LinkedIn to target jobseekers.
Recent analysis from Bitdefender shows the social networking platform has become a prime hunting ground for cyber criminals, with a host of groups leveraging the platform to dupe unsuspecting users.
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
-
Hackers are using these malicious npm packages to target developers on Windows, macOS, and Linux systems – here’s how to stay safeNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
