(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions from your boss, like this:

1. What specific infrastructure overlaps (domains, IPs, GitHub repositories) have been identified between Slow Pisces, Alluring Pisces, and Contagious Interview campaigns?
2. Are there known overlaps or shared tactics between Slow Pisces and other DPRK-linked groups like Alluring Pisces or Contagious Interview, and what does this imply about their operational coordination?
3. What specific infrastructure overlaps (domains, IPs, GitHub repositories) have been identified between Slow Pisces, Alluring Pisces, and Contagious Interview campaigns?

Are you ready to level up your skillset? Get Started Here!

Suggested Pivot

Which specific infrastructure components (e.g., C2 servers, domains, cloud services, GitHub/Bitbucket repositories) and malware characteristics (e.g., obfuscation techniques like hexadecimal encoding, persistence mechanisms, memory-resident payloads) used by Slow Pisces, Alluring Pisces, and Contagious Interview are evolving most rapidly, and how can real-time detection and threat hunting be optimized to identify these changes early?

TL;DR

Key Points

1. • North Korean state-sponsored groups (Slow Pisces, Alluring Pisces, Contagious Interview) are intensifying financially motivated cyber operations, targeting cryptocurrency, blockchain, and software development sectors globally.
   • Action: Prioritize detection and defense against advanced social engineering, supply chain attacks, and memory-resident malware.
2. • Attackers leverage sophisticated TTP overlaps: fake job interviews, malicious coding challenges, compromised NPM/GitHub repositories, and custom malware (RN Loader, BeaverTail, InvisibleFerret, Tropidoor).
   • Action: Deploy MITRE ATT&CK-based detection rules, YARA signatures for Python/JavaScript obfuscation, and monitor for supply chain compromise.
3. • Infrastructure reuse and campaign overlap complicate attribution; shared C2 domains, hosting, and SSL certificates persist across campaigns.
   • Action: Continuously update and block known C2 infrastructure, automate threat hunting for domain and repository anomalies.
4. • Forecasts indicate continued targeting of DeFi, expansion to new supply chain vectors (PyPI, Docker Hub, CI/CD), and evolution of modular, fileless malware.
   • Action: Enhance behavioral analytics, segment developer environments, and invest in user awareness tailored to developer and crypto sectors.
5. • Recent breaches include $1.5B theft from a Dubai crypto exchange and $308M from a Japanese firm, underscoring the operational success and urgency of defense.
   • Action: Implement rapid, layered defenses and cross-sector intelligence sharing to mitigate ongoing and future threats.

Executive Summary

North Korean threat actors Slow Pisces, Alluring Pisces, and Contagious Interview—operating under the Reconnaissance General Bureau—have escalated global cyber operations since 2023, focusing on cryptocurrency theft and espionage. Their campaigns employ advanced social engineering (LinkedIn, fake job interviews), supply chain attacks (malicious NPM/GitHub packages), and custom, memory-resident malware (RN Loader, RN Stealer, BeaverTail, InvisibleFerret, Tropidoor) with cross-platform capabilities and sophisticated evasion (YAML deserialization, EJS obfuscation).

These groups share infrastructure, malware code, and TTPs, complicating attribution and enabling persistent, high-impact attacks. Notable breaches include billion-dollar cryptocurrency thefts from Dubai and Japan, achieved via developer-targeted lures and supply chain compromise. Technical overlaps with Lazarus Group and APT37 are evident, with shared malware families and infrastructure.

Defensive strategies must prioritize MITRE ATT&CK-based detection (e.g., T1566.001, T1059.006, T1059.007), YARA rules for Python/JavaScript obfuscation, continuous C2 monitoring, and EDR tuning for memory-resident threats. Network segmentation, strict access controls, and targeted user training for developers are critical.

Short-term forecasts predict intensified attacks on crypto and blockchain, increased use of fileless malware, and persistent social engineering. Long-term, expect expansion to DeFi, new supply chain vectors, and more modular, evasive malware. Cross-sector intelligence sharing and tailored awareness programs are essential to disrupt these evolving DPRK campaigns.

Research

Attribution

Historical Context

The DPRK-linked threat actors "Slow Pisces," "Alluring Pisces," and "Contagious Interview" operate under North Korea's Reconnaissance General Bureau (RGB). These groups have been active since at least the early 2000s, with intensified activity in recent years focusing on financially motivated cybercrime, especially targeting cryptocurrency sectors and espionage. They employ sophisticated social engineering, supply chain attacks, and custom malware to infiltrate targets globally, particularly software developers and blockchain companies.

Timeline

• Early 2020s: Initial activity and identification of DPRK-linked groups under RGB.
• 2023: Slow Pisces linked to major cryptocurrency thefts exceeding $1 billion.
• 2023-2025: Contagious Interview campaign active, using fake job interviews to infect developers.
• 2024-2025: Overlapping infrastructure and malware usage among Slow Pisces, Alluring Pisces, and Contagious Interview observed, with new malware variants and expanded targeting.

Origin

All three groups are North Korean state-sponsored actors under the RGB, specializing in cybercrime and espionage to support regime funding and intelligence objectives.

Countries Targeted

1. United States – Primary target for cryptocurrency and software development sectors.
2. South Korea – Espionage and financial theft.
3. Japan – Victim of cryptocurrency thefts.
4. United Arab Emirates – Cryptocurrency exchange thefts.
5. Global – Software developers and blockchain companies worldwide.

Sectors Targeted

1. Cryptocurrency and Blockchain – Financial theft and supply chain attacks.
2. Software Development – Supply chain infiltration and malware delivery.
3. Financial Services – Theft and espionage.
4. Government and Military – Espionage.
5. Critical Infrastructure – Intelligence gathering and disruption.

Motivation

Financial gain through cryptocurrency theft and cybercrime, alongside espionage to support DPRK strategic interests.

Attack Types

• Social engineering via LinkedIn and fake job interviews.
• Supply chain attacks on software platforms.
• Use of custom malware families: RN Loader, RN Stealer, BeaverTail, InvisibleFerret, Tropidoor.
• Memory-resident and fileless malware techniques.
• Infrastructure reuse including shared C2 servers and domains.

Known Aliases

1. Slow Pisces (Palo Alto Networks Unit 42)
2. Jade Sleet (Palo Alto Networks Unit 42)
3. TraderTraitor (FBI)
4. PUKCHONG (Palo Alto Networks Unit 42)
5. UNC4899 (Palo Alto Networks Unit 42)
6. CL-STA-0240 / Contagious Interview (Unit 42, Palo Alto Networks)
7. PurpleBravo (Recorded Future)
8. Famous Chollima / Tenacious Pungsan (Open sources)

Links to Other APT Groups

1. Lazarus Group – Shares malware families (BeaverTail), infrastructure, and targeting.
2. APT37 (Reaper) – Similar social engineering and malware use.

Similar Threat Actor Groups

1. Lazarus Group
2. APT37 (Reaper)

Breaches Involving This Threat Actor

• Slow Pisces linked to $1.5 billion theft from Dubai cryptocurrency exchange (2024).
• $308 million theft from Japan-based cryptocurrency company (2024).

Technical Analysis of Overlaps

Shared TTPs

• Social engineering targeting developers via LinkedIn and fake job interviews.
• Use of malicious coding challenges and fake recruitment lures.
• Supply chain attacks leveraging compromised GitHub and NPM repositories.
• Delivery of multi-stage malware with memory-resident payloads.
• Use of YAML deserialization and EJS escapeFunction for code execution evasion.

Malware Code Similarities and Details

• RN Loader and RN Stealer (Slow Pisces): Python-based malware using YAML deserialization for payload execution. RN Stealer exfiltrates system and credential data, tailored for macOS and Windows.
• BeaverTail (Contagious Interview): JavaScript-based stealer and loader distributed via malicious NPM packages, capable of stealing browser cryptocurrency wallets and delivering InvisibleFerret.
• InvisibleFerret: Python backdoor with modular components for fingerprinting, remote control, keylogging, and data exfiltration across Windows, macOS, and Linux.
• Tropidoor: Windows backdoor delivered by BeaverTail, operating in memory, capable of file exfiltration, process management, and screenshot capture.
• Malware targeting includes 13 cryptocurrency wallet browser extensions (e.g., MetaMask, Coinbase, Binance).
• Malware hashes and indicators are publicly available from Unit 42 reports.

Infrastructure Reuse

• Shared C2 domains and IPs across campaigns, often mimicking legitimate domains with subdomains (e.g., .api, .cdn).
• Use of GitHub and Bitbucket repositories for malware hosting.
• Overlapping hosting providers and SSL certificates.
• Infrastructure timelines show continuous activity from 2023 through early 2025.

Future Attack Pattern Predictions

• Continued targeting of cryptocurrency and blockchain sectors with advanced social engineering.
• Expansion of supply chain attacks via open-source repositories and package managers.
• Increased use of cross-platform, memory-resident malware to evade detection.
• Potential targeting of emerging financial technologies like DeFi.
• Persistent use of fake recruitment and job-seeker lures to compromise high-value targets.

Detection and Defense Strategies (Next 3-6 Months)

Prioritized Recommendations

1. Detection Rules:

   • Implement MITRE ATT&CK techniques such as:
     • T1566.001 (Spearphishing via Service)
     • T1204.002 (Malicious File)
     • T1059.006 (Python)
     • T1059.007 (JavaScript)
     • T1203 (Exploitation for Client Execution)
     • T1071.001 (Web Protocols)
     • T1027 (Obfuscated Files or Information)
     • T1055 (Process Injection)
     • T1560.001 (Archive via API)
     • T1105 (Ingress Tool Transfer)
     • T1053.005 (Scheduled Task)
     • T1113 (Screen Capture)
     • T1056.001 (Keylogging)
     • T1074.001 (File Deletion)
     • T1562.001 (Impair Defenses: Disable or Modify Tools)

2. YARA Rules:

   • Develop YARA signatures targeting:
     • RN Loader and RN Stealer Python YAML deserialization patterns (e.g., use of yaml.load() with !!python/object/apply).
     • BeaverTail JavaScript obfuscation and EJS escapeFunction usage.
     • InvisibleFerret Python backdoor command and control patterns.
     • Tropidoor in-memory loader characteristics.

3. Infrastructure Monitoring:

   • Block and monitor known C2 domains and IPs (e.g., en.stockslab[.]org, update.jquerycloud[.]io, 95.164.17[.]24).
   • Monitor GitHub and Bitbucket repositories for suspicious activity and malicious package uploads.

4. Endpoint Detection and Response (EDR):

   • Tune EDR to detect memory-resident payloads and suspicious deserialization.
   • Monitor for unusual Python and JavaScript execution in developer environments.
   • Detect anomalous network traffic to known C2 infrastructure.

5. Network Segmentation and Access Controls:

   • Isolate development environments from corporate networks.
   • Restrict installation of unapproved software and packages.
   • Enforce multi-factor authentication and least privilege access.

6. User Awareness and Training:

   • Educate developers on risks of social engineering and fake recruitment.
   • Promote verification of job offers and GitHub repository legitimacy.
   • Encourage use of dedicated devices for personal and professional activities.

Case Study Example

Slow Pisces' 2024 campaign used LinkedIn to deliver malicious coding challenges with embedded RN Loader and RN Stealer malware, resulting in over $1 billion in cryptocurrency theft. Detection of YAML deserialization and EJS escapeFunction payloads was critical in identifying this campaign early.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)

Recommendations

1. Prioritize immediate implementation of detection rules based on the MITRE ATT&CK techniques identified (e.g., T1566.001, T1204.002, T1059.006, T1059.007). Create specific detection signatures for spearphishing via service and malicious Python and JavaScript execution, leveraging existing templates from Unit 42 reports. Rapid deployment is critical to intercept ongoing campaigns like Slow Pisces' $1.5 billion cryptocurrency theft and reduce exposure to similar high-impact attacks.

2. Develop and deploy targeted YARA signatures, such as detecting the RN Loader's YAML deserialization pattern using yaml.load() with !!python/object/apply, and BeaverTail's JavaScript obfuscation involving EJS escapeFunction. Providing these templates to security teams will accelerate malware identification and containment, especially for memory-resident and fileless malware that evade traditional detection.

3. Implement continuous infrastructure monitoring and blocking of known C2 domains and IPs (e.g., en.stockslab[.]org, update.jquerycloud[.]io, 95.164.17[.]24). Establish automated alerts for suspicious activity on GitHub and Bitbucket repositories to detect malicious package uploads early. Begin with high-risk domains and expand as new indicators emerge to reduce the risk of supply chain compromise.

4. Enhance Endpoint Detection and Response (EDR) configurations to detect anomalous Python and JavaScript execution and memory-resident payloads. Tune EDR to flag unusual deserialization calls or script execution in developer environments. Implement this in parallel with network traffic analysis to identify communications with known C2 infrastructure, providing layered defense.

5. Enforce network segmentation and strict access controls by isolating development environments, restricting unapproved software installations, and mandating multi-factor authentication and least privilege access. Begin with the most critical development teams working on blockchain and cryptocurrency projects to limit lateral movement and reduce attack surface.

6. Launch targeted user awareness and training programs focused on social engineering risks, fake recruitment lures, and verification of job offers and repository legitimacy. Highlight recent incidents such as the Contagious Interview campaign to illustrate real-world consequences. Encourage developers to use dedicated devices for professional activities to minimize exposure to sophisticated lures.

Followup Research

Suggested Pivots

1. Which specific infrastructure components (e.g., C2 servers, domains, cloud services, GitHub/Bitbucket repositories) and malware characteristics (e.g., obfuscation techniques like hexadecimal encoding, persistence mechanisms, memory-resident payloads) used by Slow Pisces, Alluring Pisces, and Contagious Interview are evolving most rapidly, and how can real-time detection and threat hunting be optimized to identify these changes early?

2. What are the critical vulnerabilities in software development and blockchain supply chains exploited by these DPRK-linked groups, particularly through malicious npm packages and supply chain attacks, and what targeted mitigation strategies (e.g., enhanced repository monitoring, package vetting, developer environment isolation) can be implemented to reduce risk?

3. How effective are current detection frameworks, including MITRE ATT&CK-based rules and YARA signatures for Python YAML deserialization and JavaScript obfuscation, in detecting the latest variants of BeaverTail, InvisibleFerret, Tropidoor, and RN Loader malware, and what novel detection techniques or behavioral analytics could improve identification of fileless and memory-resident malware?

4. Considering the geopolitical context, how does the DPRK's combined use of cybercrime for regime funding and espionage against key countries (US, South Korea, Japan, UAE) influence international cybersecurity collaboration, and what intelligence-sharing or joint response mechanisms could be enhanced to disrupt these threat actors more effectively?

5. How can user awareness and training programs be tailored to counter the sophisticated social engineering tactics employed in ongoing campaigns like Contagious Interview and Slow Pisces, including fake job interviews and malicious coding challenges, and what role can red teaming and simulated phishing exercises play in strengthening developer and cryptocurrency sector defenses?

Forecast

Short-Term Forecast (3-6 months)

1. Continued Aggressive Targeting of Cryptocurrency and Blockchain Sectors with Enhanced Supply Chain Attacks

• DPRK-linked groups Slow Pisces, Alluring Pisces, and Contagious Interview will intensify campaigns against cryptocurrency exchanges, blockchain companies, and wallet providers. Sophisticated social engineering tactics—such as fake LinkedIn job interviews and malicious coding challenges—combined with supply chain attacks via malicious NPM packages and compromised GitHub/Bitbucket repositories, will remain primary attack vectors.

• Defenders should monitor open-source package repositories, especially NPM and Bitbucket, and implement alerts for new or modified packages with obfuscated JavaScript or Python code.

  • Examples:
    • The April 2025 discovery of 11 malicious NPM packages distributing BeaverTail and a new RAT loader, with over 5,600 downloads before removal, demonstrates the persistence and scale of supply chain compromises.
    • The 2024 $1.5 billion theft from a Dubai cryptocurrency exchange and the $308 million theft from a Japanese crypto company highlight the financial impact and operational success of these campaigns.

• This forecast is ranked highest due to the direct financial impact, ongoing active campaigns, and the criticality of the targeted sectors.

2. Increased Use of Memory-Resident and Fileless Malware to Evade Detection

• Threat actors will escalate deployment of memory-resident malware such as Tropidoor and InvisibleFerret, leveraging process injection and advanced obfuscation techniques (e.g., YAML deserialization in Python, EJS escapeFunction in JavaScript) to evade traditional endpoint detection and response (EDR) tools.

• Security teams should tune EDR solutions to detect anomalous Python and JavaScript execution patterns, monitor for suspicious deserialization calls, and flag unusual in-memory process injections.

  • Examples:
    • Tropidoor's in-memory backdoor capabilities include file exfiltration, process management, and screenshot capture, with direct use of Windows commands (schtasks, ping, reg), complicating detection.
    • RN Loader and RN Stealer's use of YAML deserialization for payload execution is a novel evasion technique requiring specialized detection rules.

• This forecast is critical as it directly challenges defenders' ability to detect and respond, necessitating rapid adaptation of detection rules and EDR tuning.

3. Persistent and Sophisticated Social Engineering via Fake Recruitment and Job-Seeker Lures

• Social engineering campaigns leveraging fake job interviews, coding challenges, and recruitment lures will continue to be a primary initial access vector, especially targeting software developers and blockchain professionals.

• Organizations should implement targeted user awareness programs emphasizing verification of job offers, suspicious recruiter profiles, and the risks of executing unvetted code from recruitment exercises. Red teaming and simulated phishing exercises tailored to developer environments will enhance resilience.

  • Examples:
    • The Contagious Interview campaign's use of fake recruiter personas and malicious coding challenges to deliver BeaverTail and InvisibleFerret malware.
    • Slow Pisces' use of LinkedIn for spearphishing and delivery of malicious Python scripts hosted on GitHub.

• This forecast is ranked high due to the effectiveness of social engineering in initial compromise and the difficulty in fully automating detection.

4. Expansion of Infrastructure Reuse and Overlapping Campaigns to Obfuscate Attribution

• The groups will continue to reuse and overlap command and control (C2) infrastructure, domains, and SSL certificates to maintain operational security and complicate attribution efforts.

• Defenders should maintain updated blocklists of known C2 domains (e.g., en.stockslab[.]org, update.jquerycloud[.]io) and monitor for new subdomains mimicking legitimate services. Automated infrastructure threat hunting and domain similarity analysis will be valuable.

  • Examples:
    • Shared C2 domains and IPs across campaigns from 2023 through early 2025, including overlapping hosting providers and SSL certificates.
  • This forecast is important for defenders to prioritize infrastructure monitoring and blocking but is less impactful than direct attack vectors.

5. Heightened Monitoring of Developer Environments and Network Segmentation

• Organizations should isolate development environments from corporate networks, restrict installation of unapproved software and packages, and enforce multi-factor authentication and least privilege access to reduce lateral movement and exposure.

• Monitoring for anomalous Python and JavaScript execution in developer environments and unusual network traffic to known C2 infrastructure will be critical.

  • Examples:
    • The use of malicious coding challenges and supply chain attacks targeting developer machines necessitates strict environment controls.

• This forecast is actionable and supports defense-in-depth strategies.

Long-Term Forecast (12-24 months)

1. Expansion of Targeting to Emerging Financial Technologies, Including DeFi Platforms and Smart Contracts

• DPRK-linked groups are likely to pivot toward decentralized finance (DeFi) platforms and other emerging blockchain-based financial technologies, exploiting immature security postures, complex smart contract vulnerabilities, and the rapid growth of these ecosystems.

• Early warning signs include reconnaissance activity targeting DeFi projects, increased scanning for smart contract vulnerabilities, and supply chain compromises in DeFi-related open-source projects.

  • Examples:
    • The current focus on cryptocurrency and blockchain sectors provides a foundation for pivoting to DeFi, which has seen increasing adoption but remains vulnerable to exploits such as flash loan attacks and oracle manipulation.
    • Analogous evolution observed in Lazarus Group's shift from traditional financial theft to cryptocurrency targeting.

• This forecast is ranked highest long-term due to the growing value and relative insecurity of DeFi platforms, offering lucrative opportunities for financially motivated threat actors.

2. Continued Evolution and Modularization of Malware with Advanced Evasion Techniques

• Malware families like RN Loader, BeaverTail, InvisibleFerret, and Tropidoor will evolve with enhanced modularity, cross-platform capabilities, and advanced evasion techniques such as polymorphism, AI-driven obfuscation, and fileless persistence.

• Defenders should watch for new malware variants exhibiting novel obfuscation patterns, increased use of scripting languages, and integration with emerging attack frameworks. Behavioral analytics and machine learning-based detection will be increasingly necessary.

  • Examples:
    • The current use of multi-stage, memory-resident malware with YAML deserialization and JavaScript obfuscation sets a precedent for further sophistication.
    • Historical malware evolution trends (e.g., Emotet, TrickBot) show rapid adaptation to detection methods.

• This forecast is critical as it will challenge defenders' ability to keep pace with detection and mitigation technologies.

3. Diversification of Supply Chain Attack Vectors Beyond NPM and GitHub to Other Package Managers and CI/CD Pipelines

• Threat actors will broaden supply chain attack vectors to include other package managers (e.g., PyPI for Python, Maven for Java), container registries (e.g., Docker Hub), and continuous integration/continuous deployment (CI/CD) pipelines, increasing the attack surface and complicating defense.

• Early indicators include suspicious package uploads in new ecosystems, anomalous CI/CD pipeline activity, and compromised container images.

  • Examples:
    • The current focus on NPM and GitHub is likely to broaden as attackers seek new avenues, similar to the SolarWinds supply chain compromise that targeted CI/CD pipelines.

• This forecast is important for long-term supply chain security strategies.

4. Strengthening of International Cybersecurity Collaboration and Joint Disruption Efforts

• In response to high-profile financial thefts and espionage activities, affected countries (US, South Korea, Japan, UAE) and international partners will enhance joint cybersecurity operations, intelligence sharing, and coordinated disruption efforts against DPRK-linked groups.

• Indicators include increased public-private partnerships, joint advisories, and coordinated takedown operations targeting infrastructure and malware distribution channels.

  • Examples:
    • The FBI, DC3, and National Police Agency of Japan's joint attribution and public alerts on DPRK campaigns.
    • Historical precedents include coordinated takedowns of botnets and ransomware groups.

• This forecast is significant for shaping the geopolitical and operational environment but depends on political will and diplomatic relations.

5. Development and Institutionalization of Advanced User Awareness and Simulation Programs Tailored to Developer and Cryptocurrency Sectors

• Organizations will increasingly adopt targeted training, red teaming, and simulated phishing exercises focused on the unique social engineering tactics used by these groups, such as fake recruitment and coding challenge lures.

• Success metrics will include reduced click rates on phishing simulations, increased reporting of suspicious recruiter activity, and improved verification processes for job offers and code submissions.

  • Examples:
    • Current recommendations emphasize developer-focused awareness and verification of job offers.
    • Analogous programs in finance and healthcare sectors have demonstrably reduced phishing success rates.

• This forecast is important for reducing initial access success but is dependent on organizational investment and culture.

Appendix

References

1. (2025-04-05) – North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages – The Hacker News
2. (2024-12-23) – FBI Identification of North Korean Cyber Actors Responsible for $308 Million Cryptocurrency Theft – FBI.gov
3. (2024-10-09) – Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers as Fake Recruiters – Unit 42
4. (2024-09-09) – Threat Assessment: North Korean Threat Groups – Unit 42
5. (2024-04-14) – Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware – Unit 42
6. (2023-11-21) – Two Campaigns by North Korea Bad Actors Target Job Hunters – Unit 42

AlphaHunt

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. What specific infrastructure overlaps (domains, IPs, GitHub repositories) have been identified between Slow Pisces, Alluring Pisces, and Contagious Interview campaigns?
2. Are there known overlaps or shared tactics between Slow Pisces and other DPRK-linked groups like Alluring Pisces or Contagious Interview, and what does this imply about their operational coordination?
3. What specific infrastructure overlaps (domains, IPs, GitHub repositories) have been identified between Slow Pisces, Alluring Pisces, and Contagious Interview campaigns?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC