North Korean Hackers Exploit LinkedIn to Infect Crypto Developers with Infostealers
If you're a developer working on cryptocurrency projects, beware of people trying to hire you on LinkedIn – they could be North Korean hackers. A recent report by Unit 42, Palo Alto Networks' research branch, has shed light on Slow Pisces, a hacking group affiliated with the North Korean regime, which has been using this platform to target crypto developers with malicious coding challenges.
In an April 14 report, Unit 42 shared new findings about Slow Pisces, a group that has been posing as recruiters on LinkedIn since 2024. The hackers are targeting developers of cryptocurrency projects with malicious PDF lures, leading to the distribution of two new malware payloads, RN Loader and RN Stealer.
The campaign is executed in multiple steps. First, the Slow Pisces hackers impersonate potential recruiters on LinkedIn and engage with likely targets, sending them a benign PDF with a job description. The targets are primarily involved in cryptocurrency projects. If the targets apply, attackers present them with a coding challenge consisting of several tasks outlined in a question sheet.
These question sheets typically include generic software development tasks and a “real project” coding challenge, which links to a GitHub repository. The repositories contain code adapted from open-source projects, including applications for viewing and analyzing stock market data, statistics from European soccer leagues, weather data, and cryptocurrency prices.
"The group primarily used projects in either Python or JavaScript, likely depending on whether the target applied for a front-end or back-end development role. We also saw Java-based repositories in this campaign, though they were far less common, with only two instances impersonating a cryptocurrency application called jCoin," the Unit 42 report reads.
The researchers added that undiscovered repositories might also exist for other programming languages. Typically, Slow Pisces uses repositories with multiple data sources, most of them legitimate and one of them malicious. The attackers then send malicious payloads only to carefully validated targets based on factors such as IP address, geolocation, time, and HTTP headers.
By focusing on individuals contacted via LinkedIn rather than conducting broad phishing campaigns, the group tightly controls later campaign stages to deliver malware solely to intended victims. This approach allows them to avoid traditional malware delivery methods, which are easily detected.
The Malware Payloads: RN Loader and RN Stealer
Unit 42 researchers identified two previously unknown payloads, RN Loader and RN Stealer. RN Loader sends basic information about the victim machine and operating system over HTTPS to the hackers' C2 server.
RN Stealer is an infostealer that exfiltrates data and compressed data from the victim's device. The researchers recovered the script for an RN Stealer sample from a macOS system, which was capable of stealing information specific to macOS devices, including:
stolen macOS-specific data
The Unit 42 researchers were not able to recover the full attack chain for JavaScript repositories.
A Distinctive Approach: YAML Deserialization and EJS escapeFunction
Slow Pisces distinguishes itself with stringent operational security. It delivers payloads that exist solely in memory and deploys advanced concealment methods such as YAML deserialization and EJS escapeFunction only when necessary.
A Background on Slow Pisces
Slow Pisces (aka Jade Sleet, TraderTraitor and Pukchong) is a North Korean state-sponsored hacking group primarily focused on generating revenue for the regime. It typically targets large organizations, with a focus on the cryptocurrency industry.
The group has stolen over $1bn from the cryptocurrency sector in 2023 using various methods such as fake trading applications, malware spread through the Node Package Manager (NPM) and supply chain compromises. In December 2024, the FBI linked Slow Pisces to the theft of $308m from a Japan-based cryptocurrency company.
More recently, the group garnered attention for its alleged role in stealing $1.5bn from a Dubai cryptocurrency exchange.