A North Korea-linked hacking group has reportedly launched a targeted campaign against cryptocurrency developers using malicious Python projects disguised as coding assignments.
According to cybersecurity researchers at Palo Alto Networks’ Unit 42, the group (known as Slow Pisces) is deploying an advanced malware chain to gain unauthorized access to systems of high-value individuals within the crypto space.
In a recent assessment, Prashil Pattni, a security researcher with Unit 42, explained that the attackers approached developers on LinkedIn, posing as potential employers.
These interactions often included offers of freelance coding tasks or full-time job opportunities. Victims were directed to download and execute what appeared to be standard coding challenges hosted on GitHub. However, embedded in these projects was malicious code designed to install malware on the target’s system.
Multi-Stage Attack Targets High-Value Victims
The infection chain begins with the execution of a trojanized Python project, which while posing as a cryptocurrency price viewer, establishes contact with a remote server to fetch a second-stage payload under specific conditions.
This includes IP filtering, geolocation, and request header checks, allowing the malware to activate only on selected machines. The campaign uses RN Loader to send system information to the server, followed by deployment of RN Stealer, a tool capable of extracting sensitive data including iCloud Keychain entries, SSH keys, and configuration files from Apple macOS devices.
Pattni noted that this approach allows the threat actors to evade detection while targeting individuals with privileged access. Pattni said:
Focusing on individuals contacted via LinkedIn, as opposed to broad phishing campaigns, allows the group to tightly control the later stages of the campaign and deliver payloads only to expected victims.
Unit 42 researchers found that the campaign bears similarities to earlier attacks, such as Operation Dream Job and Alluring Pisces, in which malware was distributed through employment-themed lures.
In this case, YAML deserialization and JavaScript templating tools like EJS are used to conceal code execution and obfuscate the payload delivery process.
Linked Campaigns and Operational Focus
Slow Pisces, also known under aliases such as Jade Sleet, TraderTraitor, and UNC4899, has been connected to several high-profile operations including the February 2025 Bybit exchange breach.
According to Andy Piazza, Senior Director of Threat Intelligence at Unit 42, the attackers likely felt no need to change their methodology due to the lack of widespread public reporting prior to that breach.
The attackers appear to focus on fewer but higher-value victims, primarily those with backend or DevOps roles who may have direct or indirect access to wallet infrastructure or exchange systems. Piazza explained.
The recurrence of developers being targeted and the use of npm or Python packages occurs as developers often have the access needed by threat actors to steal cryptocurrency.
Researchers say the attackers have continually improved operational security, updating GitHub repository behavior and controlling payload deployment. Payloads are often stored in memory only and executed only when necessary, making analysis difficult and prolonging the malware’s utility.
As campaigns like this evolve, Pattni emphasized the need for developers to remain vigilant, especially when approached with freelance or employment opportunities involving external code downloads.
Featured image created with DALL-E, Chart from TradingView
