FlagThis - #linkedin

North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.

The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications.

GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team.


References :

• Virus Bulletin: VirusBulletin reports on Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) campaign targeting cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.
• unit42.paloaltonetworks.com: Unit 42 reports that North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges.
• securityonline.info: Slow Pisces Targets Crypto Developers with Deceptive Coding Challenges
• The Hacker News: Crypto Developers Targeted by Python Malware Disguised as Coding Challenges
• Unit 42: Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
• Security Risk Advisors: Slow Pisces Targets Crypto Developers With “Coding Challenges†That Deliver New RN Loader and RN Stealer Malware
• www.itpro.com: Hackers are duping developers with malware-laden coding challenges
• cyberpress.org: Slow Pisces Hackers Target Developers with Malicious Python Coding Tests
• gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
• gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
• sra.io: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
• Security Risk Advisors: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.

Classification:

• HashTags: #APT #Cybersecurity #Malware
• Company: Palo Alto Networks
• Target: Cryptocurrency developers
• Attacker: Slow Pisces
• Product: Customized Python Malware
• Feature: Social Engineering
• Malware: Customized Python Malware
• Type: Malware
• Severity: Medium