Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Date: 04/16/2025

Severity: High

Summary

Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean threat group focused on funding the DPRK through crypto-targeted attacks. In a recent campaign, the group posed as employers on LinkedIn, targeting cryptocurrency developers. They sent malware-laced coding challenges that infected victims' systems. The malware used, dubbed RN Loader and RN Stealer, enabled data theft and system compromise.

Indicators of Compromise (IOC) List

Domains \ URLs :

getstockprice.com

cdn.clubinfo.io

getstockprice.info

api.stockinfo.io

cdn.logoeye.net

en.wfinance.org

en.stocksindex.org

cdn.jqueryversion.net

en.stockslab.org

update.jquerycloud.io

cdn.soccerlab.io

api.coinpricehub.io

cdn.leaguehub.net

cdn.clublogos.io

api.jquery-release.com

cdn.logosports.net

skypredict.org

api.bitzone.io

weatherdatahub.org

api.ethzone.io

api.fivebit.io

blockprices.io

api.coinhar.io

mavenradar.com

indobit.io

api.thaibit.io

chainanalyser.com

IP Address :

5.206.227.51

70.34.245.118

131.226.2.120

136.244.93.248

54.39.83.151

195.133.26.32

185.236.231.224

194.11.226.16

91.103.140.191

192.236.199.57

146.70.124.70

45.141.58.40

5.133.9.252

146.19.173.29

146.70.125.120

185.62.58.74

80.82.77.80

192.248.145.210

194.15.112.200

91.234.199.90

185.216.144.41

91.193.18.201

185.62.58.122

23.254.230.253

146.70.88.126

79.137.248.193

38.180.62.135

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Domains \ URLs :

domainname like "en.stockslab.org" or url like "en.stockslab.org" or siteurl like "en.stockslab.org" or domainname like "getstockprice.info" or url like "getstockprice.info" or siteurl like "getstockprice.info" or domainname like "en.wfinance.org" or url like "en.wfinance.org" or siteurl like "en.wfinance.org" or domainname like "cdn.logoeye.net" or url like "cdn.logoeye.net" or siteurl like "cdn.logoeye.net" or domainname like "update.jquerycloud.io" or url like "update.jquerycloud.io" or siteurl like "update.jquerycloud.io" or domainname like "blockprices.io" or url like "blockprices.io" or siteurl like "blockprices.io" or domainname like "api.thaibit.io" or url like "api.thaibit.io" or siteurl like "api.thaibit.io" or domainname like "api.fivebit.io" or url like "api.fivebit.io" or siteurl like "api.fivebit.io" or domainname like "skypredict.org" or url like "skypredict.org" or siteurl like "skypredict.org" or domainname like "cdn.jqueryversion.net" or url like "cdn.jqueryversion.net" or siteurl like "cdn.jqueryversion.net" or domainname like "api.jquery-release.com" or url like "api.jquery-release.com" or siteurl like "api.jquery-release.com" or domainname like "chainanalyser.com" or url like "chainanalyser.com" or siteurl like "chainanalyser.com" or domainname like "api.ethzone.io" or url like "api.ethzone.io" or siteurl like "api.ethzone.io" or domainname like "api.stockinfo.io" or url like "api.stockinfo.io" or siteurl like "api.stockinfo.io" or domainname like "cdn.clublogos.io" or url like "cdn.clublogos.io" or siteurl like "cdn.clublogos.io" or domainname like "cdn.soccerlab.io" or url like "cdn.soccerlab.io" or siteurl like "cdn.soccerlab.io" or domainname like "cdn.logosports.net" or url like "cdn.logosports.net" or siteurl like "cdn.logosports.net" or domainname like "api.coinhar.io" or url like "api.coinhar.io" or siteurl like "api.coinhar.io" or domainname like "getstockprice.com" or url like "getstockprice.com" or siteurl like "getstockprice.com" or domainname like "cdn.clubinfo.io" or url like "cdn.clubinfo.io" or siteurl like "cdn.clubinfo.io" or domainname like "en.stocksindex.org" or url like "en.stocksindex.org" or siteurl like "en.stocksindex.org" or domainname like "api.coinpricehub.io" or url like "api.coinpricehub.io" or siteurl like "api.coinpricehub.io" or domainname like "cdn.leaguehub.net" or url like "cdn.leaguehub.net" or siteurl like "cdn.leaguehub.net" or domainname like "api.bitzone.io" or url like "api.bitzone.io" or siteurl like "api.bitzone.io" or domainname like "weatherdatahub.org" or url like "weatherdatahub.org" or siteurl like "weatherdatahub.org" or domainname like "mavenradar.com" or url like "mavenradar.com" or siteurl like "mavenradar.com" or domainname like "indobit.io" or url like "indobit.io" or siteurl like "indobit.io"

IP Address :

dstipaddress IN ("146.70.88.126","5.206.227.51","5.133.9.252","146.70.125.120","194.15.112.200","91.103.140.191","185.236.231.224","79.137.248.193","70.34.245.118","136.244.93.248","91.234.199.90","131.226.2.120","146.19.173.29","194.11.226.16","185.62.58.74","54.39.83.151","195.133.26.32","192.236.199.57","146.70.124.70","45.141.58.40","80.82.77.80","192.248.145.210","185.216.144.41","91.193.18.201","185.62.58.122","23.254.230.253","38.180.62.135") or srcipaddress IN ("146.70.88.126","5.206.227.51","5.133.9.252","146.70.125.120","194.15.112.200","91.103.140.191","185.236.231.224","79.137.248.193","70.34.245.118","136.244.93.248","91.234.199.90","131.226.2.120","146.19.173.29","194.11.226.16","185.62.58.74","54.39.83.151","195.133.26.32","192.236.199.57","146.70.124.70","45.141.58.40","80.82.77.80","192.248.145.210","185.216.144.41","91.193.18.201","185.62.58.122","23.254.230.253","38.180.62.135")

Reference:

https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments