According to a report released today by Palo Alto Networks’ Unit 42, the group known as Slow Pisces (also tracked as Jade Sleet, TraderTraitor, and PUKCHONG) has been engaging in social engineering attacks via LinkedIn, posing as recruiters to deliver custom malware.
The threat actors begin by approaching cryptocurrency developers on LinkedIn with job opportunities, sending benign PDF files containing job descriptions.
If targets respond positively, they receive coding challenges that direct them to GitHub repositories containing malicious code.
These repositories appear legitimate, often adapted from actual open-source projects such as cryptocurrency dashboards or stock market analyzers.
While most of the code functions normally, the repositories contain concealed malicious components that connect to command-and-control servers operated by the attackers.
“Slow Pisces stands out from their peers’ campaigns in operational security.
Delivery of payloads at each stage is heavily guarded, existing in memory only.
And the group’s later stage tooling is only deployed when necessary,” notes the report.
The attackers employ sophisticated methods to hide their malicious activities, including YAML deserialization in Python repositories and EJS escape function techniques in JavaScript projects.
These methods allow them to execute arbitrary code while evading detection.
When targeting Python developers, Slow Pisces delivers malware that researchers have named “RN Loader” and “RN Stealer.”
The RN Stealer payload is designed to extract sensitive information from victims’ machines, including:
The group reportedly stole over $1 billion from cryptocurrency organizations in 2023 alone.
Most recently, they’ve been linked to the theft of $1.5 billion from a Dubai cryptocurrency exchange.
The FBI previously attributed a $308 million theft from a Japan-based cryptocurrency company to the same group.
Palo Alto Networks has shared their findings with GitHub and LinkedIn, who have removed the malicious accounts.
They’ve also disclosed indicators of compromise to help organizations detect and mitigate similar attacks.
| Domain | IP Address | First Seen | Last Seen | Repository Type |
|---|---|---|---|---|
| getstockprice[.]com | 70.34.245[.]118 | 2025-02-03 | 2025-02-20 | Python |
| cdn[.]clubinfo[.]io | 5.206.227[.]51 | 2025-01-21 | 2025-02-19 | Python |
| update[.]jquerycloud[.]io | 192.236.199[.]57 | 2024-07-03 | 2024-08-22 | JavaScript |
| en[.]stockslab[.]org | 91.103.140[.]191 | 2024-08-19 | 2024-09-12 | Python |
| api[.]coinpricehub[.]io | 45.141.58[.]40 | 2024-05-06 | 2024-08-06 | Java |
Security experts recommend the strict segregation of corporate and personal devices as the most effective mitigation against such targeted social engineering campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Slow Pisces Hackers Target Developers with Malicious Python Coding Tests appeared first on Cyber Security News.
Borderlands’ well-documented 11th hour art style change cost Take-Two an extra $50 million in development…
Terraria developer Re-Logic has confirmed that updates will continue "beyond" the 1.4.6 update and the…
GTA 6 is due out November 19, 2026, but as we all know it’s suffered…
May 17, 2026 As the last day of school in Sioux Falls approaches this week,…
Without wanting to make too broad a generalization, it’s safe to say that Saturday Evening Post…
Microsoft has officially acknowledged a critical installation failure affecting its May 2026 Patch Tuesday cumulative…
This website uses cookies.