DPRK Hackers Exploit LinkedIn to Infect Developers with Infostealers

If you are a developer working on cryptocurrency projects, beware of people trying to hire you on LinkedIn – they could be North Korean hackers.

In an April 14 report, Unit 42, Palo Alto Networks’ research branch, shared new findings about Slow Pisces, a hacking group affiliated with the North Korean regime.

In a new malicious campaign that started in 2024, the group has been posing as recruiters on LinkedIn, targeting developers of cryptocurrency projects with malicious coding challenges.

These challenges leverage PDF lures, leading to malicious repositories on GitHub that distribute two new malware payloads, which Unit 42 researchers have named RN Loader and RN Stealer.

PDF Lures on LinkedIn Lead to Malicious GitHub Repositories

This campaign is executed in multiple steps.

First, ​​the Slow Pisces hackers impersonate potential recruiters on LinkedIn and engage with likely targets, sending them a benign PDF with a job description. The targets are primarily involved in cryptocurrency projects.

If the targets apply, attackers present them with a coding challenge consisting of several tasks outlined in a question sheet.

These question sheets typically include generic software development tasks and a “real project” coding challenge, which links to a GitHub repository.

The repositories contain code adapted from open-source projects, including applications for viewing and analyzing stock market data, statistics from European soccer leagues, weather data and cryptocurrency prices.

“The group primarily used projects in either Python or JavaScript, likely depending on whether the target applied for a front-end or back-end development role. We also saw Java-based repositories in this campaign, though they were far less common, with only two instances impersonating a cryptocurrency application called jCoin,” the Unit 42 report reads.

The researchers added that undiscovered repositories might also exist for other programming languages.

Python Repositories Distribute Infostealer Malware

Typically, Slow Pisces uses repositories with multiple data sources, most of them legitimate and one of them malicious.

Slow Pisces avoids traditional malware delivery methods – which are easily detected – by first confirming that its command-and-control (C2) server provides valid, expected application data (like a JSON list of S&P 500 company symbols) to the target repository.

The attackers then send malicious payloads only to carefully validated targets based on factors such as IP address, geolocation, time and HTTP headers.

By focusing on individuals contacted via LinkedIn rather than conducting broad phishing campaigns, the group tightly controls later campaign stages to deliver malware solely to intended victims.

The Unit 42 researchers identified two previously unknown payloads, RN Loader and RN Stealer.

RN Loader sends basic information about the victim machine and operating system over HTTPS to the hackers’ C2 server.

RN Stealer is an infostealer that exfiltrates data and compressed data from the victim’s device.

The researchers recovered the script for an RN Stealer sample from a macOS system. This sample was capable of stealing information specific to macOS devices, including:

• Basic victim information: Username, machine name and architecture
• Installed applications
• A directory listing and the top-level contents of the victim’s home directory
• The login.keychain-db file that stores saved credentials in macOS systems
• Stored SSH keys
• Configuration files for AWS, Kubernetes and Google Cloud

The Unit 42 researchers were not able to recover the full attack chain for JavaScript repositories.

Advanced Concealment Methods

Using LinkedIn and GitHub lures is a common tactic among North Korean threat actors, including Alluring Pisces and Contagious Interview.

However, Slow Pisces distinguishes itself with stringent operational security: it delivers payloads that exist solely in memory and deploys advanced concealment methods such as YAML deserialization and EJS escapeFunction only when necessary.

These tactics hinder analysis and detection, making it particularly challenging for inexperienced cryptocurrency developers to identify the threats.

Public reports on cryptocurrency heists suggest this campaign has been highly successful and may continue through 2025, underscoring the need for the strict segregation of corporate and personal devices to mitigate the risk of targeted social engineering attacks.

Unit 42 confirmed that GitHub and LinkedIn have taken down the relevant accounts and repositories.

Background on Slow Pisces

Slow Pisces (aka Jade Sleet, TraderTraitor and Pukchong) is a North Korean state-sponsored hacking group primarily focused on generating revenue for the regime, typically by targeting large organizations, with a focus on the cryptocurrency industry.

The group is reported to have stolen over $1bn from the cryptocurrency sector in 2023, using various methods such as fake trading applications, malware spread through the Node Package Manager (NPM) and supply chain compromises.

In December 2024, the FBI linked Slow Pisces to the theft of $308m from a Japan-based cryptocurrency company.

More recently, the group garnered attention for its alleged role in stealing $1.5bn from a Dubai cryptocurrency exchange.