Skip to content

Hackers are disguising Python malware as coding challenges, crypto devs targeted

  • by
  • 2 min read

North Korea-linked threat actor Slow Pisces has been caught targeting crypto developers in a malicious campaign that’s parading data-stealing malware impersonating coding assignments. Slow Pisces, known by several other names, was allegedly behind the Bybit hack, which stole $1.5 billion from the Japanese crypto exchange.

The campaign operated as a usual recruitment scam and was flagged by Palo Alto Networks Unit 42. According to their report, the campaign lures in crypto developers by posing as potential employers on LinkedIn. Under the guise of assignments to test their skills, they send a compromised project to the developer, infecting their systems with malware dubbed RN Loader and RN Stealer.

First, a malicious PDF with a job description is sent to potential targets. If the targets apply to the job, the threat actors provide a coding challenge, including several tasks in a question sheet. These sheets include several generic software development tasks and a project-based coding challenge.

This is an image of malware featured security

The project is further linked to a GitHub repository. Slow Pisces has multiple similar GitHub repositories with code taken from open-source projects, including applications for viewing and analysing:

  • Stock market data
  • Statistics from European soccer leagues
  • Weather data
  • Crypto prices

Depending on whether the target has applied for a front-end or back-end role, the programming language used in the repositories can also change between Python and JavaScript. Researchers found a couple of Java-based repositories in the mix as well, impersonating a crypto program called jCoin. Analysts at both GitHub and LinkedIn have been tipped off about the campaign, and relevant accounts and repositories have already been taken down.

The main malware in question is RN Stealer, a macOS infostealer capable of extracting sensitive information. This information includes the victims’ home directory, iCloud keychain credentials, stored SSH keys, and configuration files for AWS, Kubernetes, and Google Cloud.

The cybercrime group differentiates itself from others by heavily implementing operational security. Each of its payload delivery steps is guarded and exists in memory only. The final payload is only deployed when necessary, avoiding detections and making analysis harder.

In the News: Meta resumes training AI models on EU user data

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of facebook ads instagram 23898

Android users are getting bombarded with unskippable ads

Photo: in green / shutterstock. Com

High-severity Chrome flaw exploited in the wild patched

This is an image of hacked security illustration 11

Novel infostealer caught stealing browser data and crypto wallet extensions

This is an image of malware featured security

Malware targets 6 countries using fake invoice emails

This is an image of data breach featured cybersecurity 113 e1666861228304

M&S confirms data leak during cyberattack

Photo: arnav pratap singh / shutterstock. Com

UPI outage disrupts Indian payment systems

>