The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment.
The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces, which is also known as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899.
“Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges,” security researcher Prashil Pattni said. “These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer.”
Slow Pisces has a history of targeting developers, typically in the cryptocurrency sector, by approaching them on LinkedIn as part of a supposed job opportunity and enticing them into opening a PDF document that details the coding assignment hosted on GitHub.
In July 2023, GitHub revealed that employees working at blockchain, cryptocurrency, online gambling, and cybersecurity companies were singled out by the threat actor, deceiving them into running malicious npm packages.
Then last June, Google-owned Mandiant detailed the attackers’ modus operandi of first sending to targets on LinkedIn a benign PDF document containing a job description for an alleged job opportunity and following it up with a skills questionnaire should they express interest.
The questionnaire included instructions to complete a coding challenge by downloading a trojanized Python project from GitHub that, while ostensibly capable of viewing cryptocurrency prices, was designed to contact a remote server to fetch an unspecified second-stage payload if certain conditions are met.
The multi-stage attack chain documented by Unit 42 follows the same approach, with the malicious payload sent only to validated targets, likely based on IP address, geolocation, time, and HTTP request headers.
“Focusing on individuals contacted via LinkedIn, as opposed to broad phishing campaigns, allows the group to tightly control the later stages of the campaign and deliver payloads only to expected victims,” Pattni said. “To avoid the suspicious eval and exec functions, Slow Pisces uses YAML deserialization to execute its payload.”
The payload is configured to execute a malware family named RN Loader, which sends basic information about the victim machine and operating system over HTTPS to the same server and receives and executes a next-stage Base64-encoded blob.
The newly downloaded malware is RN Stealer, an information stealer capable of harvesting sensitive information from infected Apple macOS systems. This includes system metadata, installed applications, directory listing, and the top-level contents of the victim’s home directory, iCloud Keychain, stored SSH keys, and configuration files for AWS, Kubernetes, and Google Cloud.
“The infostealer gathers more detailed victim information, which attackers likely used to determine whether they needed continued access,” Unit 42 said.
Targeted victims who apply for a JavaScript role, likewise, are urged to download a “Cryptocurrency Dashboard” project from GitHub that employs a similar strategy where the command-and-control (C2) server only serves additional payloads when the targets meet certain criteria. However, the exact nature of the payload is unknown.
“The repository uses the Embedded JavaScript (EJS) templating tool, passing responses from the C2 server to the ejs.render() function,” Pattni pointed out. “Like the use of yaml.load(), this is another technique Slow Pisces employs to conceal execution of arbitrary code from its C2 servers, and this method is perhaps only apparent when viewing a valid payload.”
Jade Sleet is one among the many North Korean threat activity clusters to leverage job opportunity-themed lures as a malware distributor vector, the others being Operation Dream Job, Contagious Interview, and Alluring Pisces.
“These groups feature no operational overlaps. However, these campaigns making use of similar initial infection vectors is noteworthy,” Unit 42 concluded. “Slow Pisces stands out from their peers’ campaigns in operational security. Delivery of payloads at each stage is heavily guarded, existing in memory only. And the group’s later stage tooling is only deployed when necessary.”
