The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment.
The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces, which is also known as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899.
"Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges," security researcher Prashil Pattni said. "These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer."
Slow Pisces has a history of targeting developers, typically in the cryptocurrency sector, by approaching them on LinkedIn as part of a supposed job opportunity and enticing them into opening a PDF document that details the coding assignment hosted on GitHub.
In July 2023, GitHub revealed that employees working at blockchain, cryptocurrency, online gambling, and cybersecurity companies were singled out by the threat actor, deceiving them into running malicious npm packages.
Then last June, Google-owned Mandiant detailed the attackers' modus operandi of first sending to targets on LinkedIn a benign PDF document containing a job description for an alleged job opportunity and following it up with a skills questionnaire should they express interest.
The questionnaire included instructions to complete a coding challenge by downloading a trojanized Python project from GitHub that, while ostensibly capable of viewing cryptocurrency prices, was designed to contact a remote server to fetch an unspecified second-stage payload if certain conditions are met.
The multi-stage attack chain documented by Unit 42 follows the same approach, with the malicious payload sent only to validated targets, likely based on IP address, geolocation, time, and HTTP request headers.
The fact that the threat actor's tradecraft has remained exactly the same even after all these months likely indicates the targeted nature of the campaign, allowing it to escape notice.
"Prior to the Bybit hack there was very little detailed awareness and reporting of the campaign in open source and so it's possible the threat actors felt no need to change," Andy Piazza, Senior Director of Threat Intelligence at Palo Alto Networks Unit 42, told The Hacker News.
"The campaign has continually updated, improving their OPSEC on sites like GitHub, varying the lures used, and how payloads can be executed. As for why payloads were gated behind 'specific conditions,' they and many other threat actors do this to prevent their later stage tooling from being obtained (and analysed) by people who aren't victims, allowing the threat actor to continue to use the payloads for longer without the need for updates."
"Focusing on individuals contacted via LinkedIn, as opposed to broad phishing campaigns, allows the group to tightly control the later stages of the campaign and deliver payloads only to expected victims," Pattni said. "To avoid the suspicious eval and exec functions, Slow Pisces uses YAML deserialization to execute its payload."
The payload is configured to execute a malware family named RN Loader, which sends basic information about the victim machine and operating system over HTTPS to the same server and receives and executes a next-stage Base64-encoded blob.
The newly downloaded malware is RN Stealer, an information stealer capable of harvesting sensitive information from infected Apple macOS systems. This includes system metadata, installed applications, directory listing, and the top-level contents of the victim's home directory, iCloud Keychain, stored SSH keys, and configuration files for AWS, Kubernetes, and Google Cloud.
"The infostealer gathers more detailed victim information, which attackers likely used to determine whether they needed continued access," Unit 42 said.
Targeted victims who apply for a JavaScript role, likewise, are urged to download a "Cryptocurrency Dashboard" project from GitHub that employs a similar strategy where the command-and-control (C2) server only serves additional payloads when the targets meet certain criteria. However, the exact nature of the payload is unknown.
"The repository uses the Embedded JavaScript (EJS) templating tool, passing responses from the C2 server to the ejs.render() function," Pattni pointed out. "Like the use of yaml.load(), this is another technique Slow Pisces employs to conceal execution of arbitrary code from its C2 servers, and this method is perhaps only apparent when viewing a valid payload."
Jade Sleet is one among the many North Korean threat activity clusters to leverage job opportunity-themed lures as a malware distributor vector, the others being Operation Dream Job, Contagious Interview, Alluring Pisces, and Moonstone Sleet.
"The recurrence of developers being targeted and the use of npm [or Python] packages occurs as developers often have the access needed by threat actors to steal cryptocurrency," Piazza said. "This then leads to developer oriented campaigns, often coding challenges for prospective jobs which involve running code, and the threat actor's malware, as part of the lure."
The cybersecurity company said Slow Pisces' campaign falls on the side of fewer and higher value targets in comparison to the other groups operating out of North Korea.
"These groups feature no operational overlaps. However, these campaigns making use of similar initial infection vectors is noteworthy," Unit 42 concluded. "Slow Pisces stands out from their peers' campaigns in operational security. Delivery of payloads at each stage is heavily guarded, existing in memory only. And the group's later stage tooling is only deployed when necessary."
(The story was updated after publication to include additional insights from Palo Alto Networks Unit 42.)
