North Korea-affiliated threat group Gleaming Pisces deployed poisoned Python software packages to deliver backdoors on Linux and macOS systems. The campaign uses infected packages uploaded to PyPi, a widely-used repository for open-source Python code, to distribute malware known as PondRAT.
Gleaming Pisces, also known as Citrine Sleet, has been active since 2018 and is affiliated with North Korea’s Reconnaissance General Bureau (RGB). The group is notorious for its attacks on the cryptocurrency sector, notably by deploying AppleJeus malware.
PondRAT is a lighter version of the group’s previously identified POOLRAT remote access tool. The attack, which aims to compromise software supply chains, has been active for an undisclosed period and primarily targets developers’ endpoints to infiltrate broader networks. The malicious packages have since been removed from PyPi.
PondRAT’s features are less than POOLRAT’s. However, it can perform file transfers, monitor operational status, run specified commands, and implement scheduled activity breaks.
Cybersecurity experts have cautioned that even with fewer features, PondRAT’s streamlined nature allows it to operate discreetly, potentially evading detection.
Researchers discovered that poisoned packages included names such as ‘real-ids,’ ‘coloredtxt,’, ‘beautifultext,’ and ‘minisound,’ all of which were designed to evade detection and ultimately deploy to a Linux variant of the PondRAT malware on compromised systems.
Experts have also noted code similarities between these new Python packages and previously known malware linked to Gleaming Pisces, reinforcing the suspicion that the group has a history of launching sophisticated attacks on cryptocurrency platforms, often using fake trading software to breach systems.
The primary goal of this campaign appears to be infiltrating the supply chain vendors by targeting developers’ endpoints. Once an infected Python package is installed, the malware can compromise the developers’ system and the wider network of users relying on these third-party packages.
This pattern mirrors previous supply chain attacks orchestrated by Gleaming Pisces.
Researchers also warn that although the malicious packages have since been removed from PyPi, organisations relying on the repository remain at risk. PyPi’s large user base makes it an attractive target for attackers looking to exploit software supply chains.
In the News: Android 15 is coming to Pixel devices on October 15