The bait looks professional, but the trap resembles a Python homework assignment.
The hackers behind the February breach of the Bybit exchange are at it again. A North Korean group tracked as Slow Pisces (also known as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899) has launched a targeted campaign against developers in the cryptocurrency sector. The attackers disguise malware as coding tasks, distributing them through LinkedIn under the guise of job offers.
The attack begins with a message on social media containing a job opportunity and a PDF with task details. If the target shows interest, they’re then invited to download a Python project from GitHub. At first glance, the project appears harmless — supposedly a crypto price tracker — but malicious code is embedded within.
The main goal is to trick the victim into running a trojan embedded in the project. Upon execution, a component called RN Loader activates, collecting basic system information and sending it to the attacker’s server. If the IP address, region, system time, and other parameters match the threat actor’s criteria, the next stage of the attack is deployed — the RN Stealer infostealer.
This malware is capable of extracting sensitive data from macOS devices: system information, a list of installed applications, home directory contents, SSH keys, as well as configuration files for AWS, Kubernetes, and Google Cloud. Special attention is given to extracting data from the iCloud keychain.
If the target is a JavaScript developer, the tactic remains the same, but the project is titled "Cryptocurrency Dashboard" and uses the EJS templating engine. In this case, data from the command-and-control (C2) server is passed into the ejs.render() function, allowing the malicious code to execute covertly.
According to Palo Alto Networks, the group avoids common suspicious methods like eval() or exec(). Instead, it uses YAML deserialization, a less obvious technique that still allows for remote code execution. Additionally, payloads are delivered in stages and only reside in memory, making detection and analysis more difficult.
Similar attacks from the same group have previously targeted employees in blockchain, cryptocurrency, gambling, and cybersecurity industries. At that time, attackers disguised malicious npm packages as coding assignments.
Jade Sleet is just one of several North Korean cells exploiting job recruitment themes in their operations. Other campaigns include Operation Dream Job, Contagious Interview, and Alluring Pisces. While these groups differ in infrastructure, they all follow a similar infection playbook — impersonating recruiters to lure victims.
What sets Slow Pisces apart is its strict control over malware deployment. Payloads are only delivered after environmental checks, and final-stage tools are deployed only when attackers are confident the target is of value.
