The actor threats associated with North Korea estimated the gap massive hacking bybit In February 2025, it was associated with a malicious company aimed at developers to deliver a new malicious software under the guise of coding.
Activities have been attributed to the Palo Alto Networks 42 unit to hacking it tracks as Slow fishWhich is also known as Jade Snou, Pukhong, Tradertraitor and UNC4899.
‘Slow fish engaged in cryptocurrencies on LinkedIn by presenting potential employers and sending malicious programs – Note. “These problems require developers to launch a project compromise by infecting their systems using malicious software we called RN Loader and RN CTAILER.”
Slow fish have a focus on developers, as a rule, in the cryptocurrency sector, approaching them on LinkedIn as part of the intended work opportunity and attracting them to the opening of the PDF document, which details the coding assignment located on GitHub.
In July 2023. GitHub disclosed The fact that the employees working in Blockchain, Cryptocurrency, gambling and cybersecurity were highlighted by the actor by deceiving them in launching malicious NPM packages.
Then last June, Mandiant owned by Google minute Modus attackers with first sending to targets on LinkedIn – a benign PDF document that contains a job description on the intended work opportunity and following the skills questionnaire when they express interest.
The questionnaire included the instructions for performing the coding tasks, downloading the Python’s Trojonized project from GitHub, which, as it is able to view cryptocurrency prices, was designed to contact a remote server to get an uncertain use in the second stage when certain conditions are fulfilled.
The multi-stage attacker, recorded by the 42 unit, follows the same approach, with a harmful useful load, sent only by checking targets, probably based on the IP address, geolocation, time, and the HTTP request headlines.
“Focusing on the people with whom they handled through LinkedIn, unlike extensive phishing campaigns, allows the group to tightly control the following stages of the company and provide useful loads only to the expected victims,” Patti said. “To avoid suspicious evaluation and execution features, slow application applied Yaml desserization To perform its useful load ”.
The useful load is set up to perform a family of malware named RN Loader, which sends basic information about the victim’s car and the operating system via HTTPS on the same server, and receives and performs the next stage of Base64 Blob.
Recently uploaded malicious software – RN theft, information theft, capable of harvesting sensitive information from infected Apple Macos Systems. This includes system metadata, installed applications, catalogs and top -level catalogs list, iCloud key, SSH keys and configuration files for AWS, Kubernetes and Google Cloud.
“Infosteeler collects more details about the victim, which attackers probably used to determine whether they needed access to,” the block 42 said.
The target victims that apply for the role of JavaScript also call for downloading the “Cryptocurrency Dashboard” project from GitHub, which uses a similar strategy where the team and control server (C2) serves additional useful loads only when the goals meet certain criteria. However, the exact nature of the useful load is unknown.
“The repository uses Built -in Template Template JavaScript (EJS)Turning the answers from the C2 server to ejs.render (), – Pani noted.
Jade Snou – one of many North Korean threats clusters use baits with opportunities to work as a vector distributor malware, the rest of the creatures Operation Work Dreams. Increased interviewand Attractive fish.
“These groups have no operational overlaps. However, these companies use similar initial vectors of the infection, deserves attention,” – concluded section 42. “Slow fish are distinguished from their peers on operational safety. Delivery of useful loads at each stage is strongly protected, exists only in memory.
