(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions from your boss, like this:

1. What specific infrastructure overlaps (domains, IPs, GitHub repositories) have been identified between Slow Pisces, Alluring Pisces, and Contagious Interview campaigns?
2. Are there known overlaps or shared tactics between Slow Pisces and other DPRK-linked groups like Alluring Pisces or Contagious Interview, and what does this imply about their operational coordination?
3. What specific infrastructure overlaps (domains, IPs, GitHub repositories) have been identified between Slow Pisces, Alluring Pisces, and Contagious Interview campaigns?

Are you ready to level up your skillset? Get Started Here!

Suggested Pivot

Which specific infrastructure components (e.g., C2 servers, domains, cloud services, GitHub/Bitbucket repositories) and malware characteristics (e.g., obfuscation techniques like hexadecimal encoding, persistence mechanisms, memory-resident payloads) used by Slow Pisces, Alluring Pisces, and Contagious Interview are evolving most rapidly, and how can real-time detection and threat hunting be optimized to identify these changes early?

TL;DR

Key Points

1. • North Korean state-sponsored groups (Slow Pisces, Alluring Pisces, Contagious Interview) are intensifying financially motivated cyber operations, targeting cryptocurrency, blockchain, and software development sectors globally.
   • Action: Prioritize detection and defense against advanced social engineering, supply chain attacks, and memory-resident malware.
2. • Attackers leverage sophisticated TTP overlaps: fake job interviews, malicious coding challenges, compromised NPM/GitHub repositories, and custom malware (RN Loader, BeaverTail, InvisibleFerret, Tropidoor).
   • Action: Deploy MITRE ATT&CK-based detection rules, YARA signatures for Python/JavaScript obfuscation, and monitor for supply chain compromise.
3. • Infrastructure reuse and campaign overlap complicate attribution; shared C2 domains, hosting, and SSL certificates persist across campaigns.
   • Action: Continuously update and block known C2 infrastructure, automate threat hunting for domain and repository anomalies.
4. • Forecasts indicate continued targeting of DeFi, expansion to new supply chain vectors (PyPI, Docker Hub, CI/CD), and evolution of modular, fileless malware.
   • Action: Enhance behavioral analytics, segment developer environments, and invest in user awareness tailored to developer and crypto sectors.
5. • Recent breaches include $1.5B theft from a Dubai crypto exchange and $308M from a Japanese firm, underscoring the operational success and urgency of defense.
   • Action: Implement rapid, layered defenses and cross-sector intelligence sharing to mitigate ongoing and future threats.

Executive Summary

North Korean threat actors Slow Pisces, Alluring Pisces, and Contagious Interview—operating under the Reconnaissance General Bureau—have escalated global cyber operations since 2023, focusing on cryptocurrency theft and espionage. Their campaigns employ advanced social engineering (LinkedIn, fake job interviews), supply chain attacks (malicious NPM/GitHub packages), and custom, memory-resident malware (RN Loader, RN Stealer, BeaverTail, InvisibleFerret, Tropidoor) with cross-platform capabilities and sophisticated evasion (YAML deserialization, EJS obfuscation).

These groups share infrastructure, malware code, and TTPs, complicating attribution and enabling persistent, high-impact attacks. Notable breaches include billion-dollar cryptocurrency thefts from Dubai and Japan, achieved via developer-targeted lures and supply chain compromise. Technical overlaps with Lazarus Group and APT37 are evident, with shared malware families and infrastructure.

Defensive strategies must prioritize MITRE ATT&CK-based detection (e.g., T1566.001, T1059.006, T1059.007), YARA rules for Python/JavaScript obfuscation, continuous C2 monitoring, and EDR tuning for memory-resident threats. Network segmentation, strict access controls, and targeted user training for developers are critical.

Short-term forecasts predict intensified attacks on crypto and blockchain, increased use of fileless malware, and persistent social engineering. Long-term, expect expansion to DeFi, new supply chain vectors, and more modular, evasive malware. Cross-sector intelligence sharing and tailored awareness programs are essential to disrupt these evolving DPRK campaigns.

Research

Attribution

Historical Context

The DPRK-linked threat actors "Slow Pisces," "Alluring Pisces," and "Contagious Interview" operate under North Korea's Reconnaissance General Bureau (RGB). These groups have been active since at least the early 2000s, with intensified activity in recent years focusing on financially motivated cybercrime, especially targeting cryptocurrency sectors and espionage. They employ sophisticated social engineering, supply chain attacks, and custom malware to infiltrate targets globally, particularly software developers and blockchain companies.

Timeline

• Early 2020s: Initial activity and identification of DPRK-linked groups under RGB.
• 2023: Slow Pisces linked to major cryptocurrency thefts exceeding $1 billion.
• 2023-2025: Contagious Interview campaign active, using fake job interviews to infect developers.
• 2024-2025: Overlapping infrastructure and malware usage among Slow Pisces, Alluring Pisces, and Contagious Interview observed, with new malware variants and expanded targeting.

Origin

All three groups are North Korean state-sponsored actors under the RGB, specializing in cybercrime and espionage to support regime funding and intelligence objectives.

Countries Targeted

1. United States – Primary target for cryptocurrency and software development sectors.
2. South Korea – Espionage and financial theft.
3. Japan – Victim of cryptocurrency thefts.
4. United Arab Emirates – Cryptocurrency exchange thefts.
5. Global – Software developers and blockchain companies worldwide.

Sectors Targeted

1. Cryptocurrency and Blockchain – Financial theft and supply chain attacks.
2. Software Development – Supply chain infiltration and malware delivery.
3. Financial Services – Theft and espionage.
4. Government and Military – Espionage.
5. Critical Infrastructure – Intelligence gathering and disruption.

Motivation

Financial gain through cryptocurrency theft and cybercrime, alongside espionage to support DPRK strategic interests.

Attack Types

• Social engineering via LinkedIn and fake job interviews.
• Supply chain attacks on software platforms.
• Use of custom malware families: RN Loader, RN Stealer, BeaverTail, InvisibleFerret, Tropidoor.
• Memory-resident and fileless malware techniques.
• Infrastructure reuse including shared C2 servers and domains.

Known Aliases

1. Slow Pisces (Palo Alto Networks Unit 42)
2. Jade Sleet (Palo Alto Networks Unit 42)
3. TraderTraitor (FBI)
4. PUKCHONG (Palo Alto Networks Unit 42)
5. UNC4899 (Palo Alto Networks Unit 42)
6. CL-STA-0240 / Contagious Interview (Unit 42, Palo Alto Networks)
7. PurpleBravo (Recorded Future)
8. Famous Chollima / Tenacious Pungsan (Open sources)

Links to Other APT Groups

1. Lazarus Group – Shares malware families (BeaverTail), infrastructure, and targeting.
2. APT37 (Reaper) – Similar social engineering and malware use.

Similar Threat Actor Groups

1. Lazarus Group
2. APT37 (Reaper)

Breaches Involving This Threat Actor

• Slow Pisces linked to $1.5 billion theft from Dubai cryptocurrency exchange (2024).
• $308 million theft from Japan-based cryptocurrency company (2024).

Technical Analysis of Overlaps

Shared TTPs

• Social engineering targeting developers via LinkedIn and fake job interviews.
• Use of malicious coding challenges and fake recruitment lures.
• Supply chain attacks leveraging compromised GitHub and NPM repositories.
• Delivery of multi-stage malware with memory-resident payloads.
• Use of YAML deserialization and EJS escapeFunction for code execution evasion.

Malware Code Similarities and Details

• RN Loader and RN Stealer (Slow Pisces): Python-based malware using YAML deserialization for payload execution. RN Stealer exfiltrates system and credential data, tailored for macOS and Windows.
• BeaverTail (Contagious Interview): JavaScript-based stealer and loader distributed via malicious NPM packages, capable of stealing browser cryptocurrency wallets and delivering InvisibleFerret.
• InvisibleFerret: Python backdoor with modular components for fingerprinting, remote control, keylogging, and data exfiltration across Windows, macOS, and Linux.
• Tropidoor: Windows backdoor delivered by BeaverTail, operating in memory, capable of file exfiltration, process management, and screenshot capture.
• Malware targeting includes 13 cryptocurrency wallet browser extensions (e.g., MetaMask, Coinbase, Binance).
• Malware hashes and indicators are publicly available from Unit 42 reports.

Infrastructure Reuse

• Shared C2 domains and IPs across campaigns, often mimicking legitimate domains with subdomains (e.g., .api, .cdn).
• Use of GitHub and Bitbucket repositories for malware hosting.
• Overlapping hosting providers and SSL certificates.
• Infrastructure timelines show continuous activity from 2023 through early 2025.

Future Attack Pattern Predictions

• Continued targeting of cryptocurrency and blockchain sectors with advanced social engineering.
• Expansion of supply chain attacks via open-source repositories and package managers.
• Increased use of cross-platform, memory-resident malware to evade detection.
• Potential targeting of emerging financial technologies like DeFi.
• Persistent use of fake recruitment and job-seeker lures to compromise high-value targets.

Detection and Defense Strategies (Next 3-6 Months)

Prioritized Recommendations

1. Detection Rules:

   • Implement MITRE ATT&CK techniques such as:
     • T1566.001 (Spearphishing via Service)
     • T1204.002 (Malicious File)
     • T1059.006 (Python)
     • T1059.007 (JavaScript)
     • T1203 (Exploitation for Client Execution)
     • T1071.001 (Web Protocols)
     • T1027 (Obfuscated Files or Information)
     • T1055 (Process Injection)
     • T1560.001 (Archive via API)
     • T1105 (Ingress Tool Transfer)
     • T1053.005 (Scheduled Task)
     • T1113 (Screen Capture)
     • T1056.001 (Keylogging)
     • T1074.001 (File Deletion)
     • T1562.001 (Impair Defenses: Disable or Modify Tools)

2. YARA Rules:

   • Develop YARA signatures targeting:
     • RN Loader and RN Stealer Python YAML deserialization patterns (e.g., use of yaml.load() with !!python/object/apply).
     • BeaverTail JavaScript obfuscation and EJS escapeFunction usage.
     • InvisibleFerret Python backdoor command and control patterns.
     • Tropidoor in-memory loader characteristics.

3. Infrastructure Monitoring:

   • Block and monitor known C2 domains and IPs (e.g., en.stockslab[.]org, update.jquerycloud[.]io, 95.164.17[.]24).
   • Monitor GitHub and Bitbucket repositories for suspicious activity and malicious package uploads.

4. Endpoint Detection and Response (EDR):

   • Tune EDR to detect memory-resident payloads and suspicious deserialization.
   • Monitor for unusual Python and JavaScript execution in developer environments.
   • Detect anomalous network traffic to known C2 infrastructure.

5. Network Segmentation and Access Controls:

   • Isolate development environments from corporate networks.
   • Restrict installation of unapproved software and packages.
   • Enforce multi-factor authentication and least privilege access.

6. User Awareness and Training:

   • Educate developers on risks of social engineering and fake recruitment.
   • Promote verification of job offers and GitHub repository legitimacy.
   • Encourage use of dedicated devices for personal and professional activities.

Case Study Example

Slow Pisces' 2024 campaign used LinkedIn to deliver malicious coding challenges with embedded RN Loader and RN Stealer malware, resulting in over $1 billion in cryptocurrency theft. Detection of YAML deserialization and EJS escapeFunction payloads was critical in identifying this campaign early.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)