{ "id": "16f10bb9-d785-4d2b-a512-4985912dd0f7", "created_at": "2026-04-06T00:06:57.17956Z", "updated_at": "2026-04-10T03:38:20.758457Z", "deleted_at": null, "sha1_hash": "2621d3eca305604524ff853fde98838bed44deaa", "title": "Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2606095, "plain_text": "Slow Pisces Targets Developers With Coding Challenges and\r\nIntroduces New Customized Python Malware\r\nBy Prashil Pattni\r\nPublished: 2025-04-14 · Archived: 2026-04-05 18:01:38 UTC\r\nExecutive Summary\r\nSlow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored threat group\r\nprimarily focused on generating revenue for the DPRK regime, typically by targeting large organizations in the\r\ncryptocurrency sector. This article analyzes their campaign that we believe is connected to recent cryptocurrency\r\nheists.\r\nIn this campaign, Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential\r\nemployers and sending malware disguised as coding challenges. These challenges require developers to run a\r\ncompromised project, infecting their systems using malware we have named RN Loader and RN Stealer.\r\nThe group reportedly stole over $1 billion USD from the cryptocurrency sector in 2023. They have achieved this\r\nusing various methods, including fake trading applications, malware distributed via the Node Package Manager\r\n(NPM) and supply chain compromises.\r\nIn December 2024, the FBI attributed the theft of $308 million from a Japan-based cryptocurrency company to\r\nSlow Pisces. More recently, the group made headlines for its alleged involvement in the theft of $1.5 billion from\r\na Dubai cryptocurrency exchange.\r\nWe have shared our threat intelligence with analysts at GitHub and LinkedIn to take down the relevant accounts\r\nand repositories.\r\nThey provided the following statement in response:\r\nGitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our\r\nproducts we use automated technology, combined with teams of investigation experts and member reporting, to\r\ncombat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage\r\nour customers and members to report any suspicious activity.\r\nAdditional information\r\nGitHub users can find more information in our Acceptable Use Policies and report abuse and spam pages.\r\nLinkedIn users can learn more about identifying and reporting abuse here: Recognize and report spam,\r\ninappropriate, and abusive content\r\nThis report details how Slow Pisces conceals malware within its coding challenges and describes the group's\r\nsubsequent tooling, aiming to provide the wider industry with a better understanding of this threat.\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 1 of 13\n\nPalo Alto Networks customers are better protected from the threats discussed in this article through our Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nTechnical Analysis\r\nOur visibility of this campaign broadly follows three steps, illustrated below in Figure 1.\r\nFigure 1. Overview of Slow Pisces “coding challenges” campaign.\r\nStage 1 - PDF Lures\r\nSlow Pisces began by impersonating recruiters on LinkedIn and engaging with potential targets, sending them a\r\nbenign PDF with a job description as shown below in Figure 2. If the potential targets applied, attackers presented\r\nthem with a coding challenge consisting of several tasks outlined in a question sheet.\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 2 of 13\n\nFigure 2. Benign PDF lures.\r\nWe have observed Slow Pisces impersonating several organizations with these lures, primarily in the\r\ncryptocurrency sector. The question sheets include generic software development tasks and a “real project” coding\r\nchallenge, which links to a GitHub repository shown in Figure 3 below.\r\nFigure 3. “Real project” coding challenge contained in the PDF lure.\r\nStage 2 - GitHub Repositories\r\nSlow Pisces presented targets with so-called coding challenges as projects from GitHub repositories. The\r\nrepositories contained code adapted from open-source projects, including applications for viewing and analyzing:\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 3 of 13\n\nStock market data\r\nStatistics from European soccer leagues\r\nWeather data\r\nCryptocurrency prices\r\nThe group primarily used projects in either Python or JavaScript, likely depending on whether the target applied\r\nfor a front-end or back-end development role. We also saw Java-based repositories in this campaign, though they\r\nwere far less common, with only two instances impersonating a cryptocurrency application called jCoin.\r\nThis scarcity suggests attackers might have created repositories on demand, based on a target's preferred\r\nprogramming language. Consequently the group more frequently used languages more popular in the\r\ncryptocurrency sector, such as JavaScript and Python. Likewise, undiscovered repositories might also exist for\r\nother programming languages.\r\nStage 3a - Python Repository\r\nIn late 2024, the group used a project shown below in Figure 4 titled “Stocks Pattern Analyzer” adapted from a\r\nlegitimate repository.\r\nFigure 4. “Stocks Pattern Analyzer” Python repository.\r\nMost of the code in the repository is benign. When targets attempt to run the project according to the question\r\nsheet, data is fetched from three remote locations:\r\nhxxps://en.wikipedia[.]org/wiki/List_of_S%26P_500_companies\r\nhxxps://en.wikipedia[.]org/wiki/Currency_pair\r\nhxxps://en.stockslab[.]org/symbols/sp500\r\nTwo of the URLs pull data from Wikipedia. The third URL uses a domain controlled by Slow Pisces. This pattern\r\n— using multiple data sources, most legitimate but one malicious — is common in the group's Python\r\nrepositories.\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 4 of 13\n\nThe malicious command-and-control (C2) server is configured to mimic the format of the legitimate sources. In\r\nthis case, it uses the .en subdomain and .org top-level domain (TLD) like we see for the legitimate Wikipedia\r\ndomain above.\r\nYAML Deserialization\r\nSlow Pisces could simply place malware directly in the repository or execute code from the C2 server using\r\nPython's built-in eval or exec functions. However, these techniques are easily detected, both by manual inspection\r\nand antivirus solutions.\r\nInstead, Slow Pisces first ensures the C2 server responds with valid application data. For example, the repository\r\nmentioned above expects a list of S\u0026P 500 company symbols. The C2 URL initially replies with this data in a\r\nJSON-formatted list.\r\nThe threat actors only send a malicious payload to validated targets, likely based on IP address, geolocation, time\r\nand HTTP request headers. Focusing on individuals contacted via LinkedIn, as opposed to broad phishing\r\ncampaigns, allows the group to tightly control the later stages of the campaign and deliver payloads only to\r\nexpected victims.\r\nTo avoid the suspicious eval and exec functions, Slow Pisces uses YAML deserialization to execute its payload as\r\nshown in Figure 5.\r\nFigure 5. Python code showing the entry point of Slow Pisces’ malware using YAML\r\ndeserialization.\r\nThis code fetches data from the C2 server via HTTPS and checks the Content-Type response header. If the header\r\nindicates JSON data (application/json), the code parses and returns the JSON to the application.\r\nIf the response indicates YAML data (application/yaml), the code uses the yaml.load() function from the PyYAML\r\nlibrary to parse the data. This function is inherently unsafe and the PyYAML documentation explicitly\r\nrecommends yaml.safe_load() for untrusted input.\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 5 of 13\n\nYAML is typically used for configuration files, like the example shown below:\r\nusername: slow\r\npassword: pisces\r\napi:\r\nkey: supersecret\r\nurl: example.com\r\nHowever, yaml.load() can serialize and deserialize arbitrary Python objects, not just valid YAML data. For\r\nexample, the following Python code prints the numbers 0-4:\r\nIf this code was serialized using yaml.dump() it would become the following:\r\n!!python/object/apply:builtins.range\r\n- 0\r\n- 5\r\n- 1\r\nFinally, when this data is passed to yaml.load() it will execute the original code: range(0, 5).\r\nThis highlights a potential detection point as payloads for the Python repository, and malware using YAML\r\ndeserialization in general, contains !!python/object/apply:builtins if the payload uses a built-in Python function.\r\nThe following stages in Table 1 exist primarily in memory and generally have no footprint on disk. To aid the\r\ncommunity in detection and awareness, we have uploaded these payloads to VirusTotal. The YAML\r\ndeserialization payload executes malware we have named RN Loader and RN Stealer based on the C2 token\r\nformat we observed in RN Stealer, which we discuss in the following sections.\r\nStage SHA256 Hash\r\nYAML Deserialization\r\nPayload\r\n47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f\r\nRN Loader 937c533bddb8bbcd908b62f2bf48e5bc11160505df20fea91d9600d999eafa79\r\nRN Stealer e89bf606fbed8f68127934758726bbb5e68e751427f3bcad3ddf883cb2b50fc7\r\nTable 1. Python repository payloads.\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 6 of 13\n\nSlow Pisces’ YAML deserialization payload begins by creating the folder Public in the victim’s home directory\r\nand creating a new file in that directory named __init__.py. Embedded Base64 data is decoded and written to this\r\nfile, containing the next infection stage (RN Loader), which is then executed.\r\nRN Loader\r\nThis newly created file for RN Loader at ~/Public/__init__.py deletes itself after execution, ensuring that it exists\r\nsolely in memory. It sends basic information about the victim machine and operating system over HTTPS to the\r\nsame C2 at en.stockslab[.]org, followed by a command loop with the following options in Table 2.\r\nCode Description\r\n0 Sleep for 20 seconds\r\n1\r\nBase64-decodes sent content and saves it to the file init.dll for Windows or init for all other operating\r\nsystems.\r\nSets an environment variable X_DATABASE_NAME to an empty string.\r\nLoads and executes the downloaded DLL using ctypes.cdll.LoadLibrary.\r\n2 Base64-decodes sent content and executes it using the Python built-in exec.\r\n3\r\nBase64-decodes sent content and a parameter. Content is saved to the file dockerd, while the\r\nparameter is saved as docker-init.\r\ndockerd is then executed in a new process, with docker-init supplied as a command-line argument.\r\n9 Terminates execution.\r\nTable 2. RN Loader command table.\r\nThe payloads of the command loop from Table 2 using options 1 and 3 are currently unknown and are likely\r\ntriggered by specific conditions. However, we recovered a Python-based infostealer delivered by option 2, and we\r\ntrack this malware as RN Stealer.\r\nRN Stealer\r\nRN Stealer first generates a random victim ID, subsequently used as a cookie in all communications to the C2\r\nserver. It then requests an XOR key from the server for encrypting exfiltrated data.\r\nCommunication with the C2 server occurs over HTTPS, using Base64-encoded tokens to identify request and\r\nresponse types. The analyzed payload includes four token types:\r\nR0 – requesting XOR key\r\nR64 – exfiltrating data\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 7 of 13\n\nR128 – exfiltrating compressed data\r\nR256 – infostealer complete\r\nThe format of these token types — the letter R followed by an integer N — led to our names for this payload. We\r\ncall the payload RN Stealer and the preceding stage RN Loader.\r\nWe recovered the script for this RN Stealer sample from a macOS system. As such, threat authors tailored this\r\nsample to steal information specific to macOS devices, including:\r\nBasic victim information: Username, machine name and architecture\r\nInstalled applications\r\nA directory listing and the top-level contents of the victim’s home directory\r\nThe login.keychain-db file that stores saved credentials in macOS systems\r\nStored SSH keys\r\nConfiguration files for AWS, Kubernetes and Google Cloud\r\nThe data gathered by RN Stealer likely determines whether persistent access is necessary. If so, we can infer the\r\nfollowing steps for this Python infection chain:\r\n1. The C2 server checks beaconing victims against unknown criteria. Valid victims receive a YAML\r\ndeserialization payload. Invalid victims receive benign JSON data.\r\n2. The deserialization payload establishes a command loop with the C2 server, exfiltrating basic victim\r\ninformation and delivering a custom Python infostealer via option code 2 in Table 2.\r\n3. The infostealer gathers more detailed victim information, which attackers likely used to determine whether\r\nthey needed continued access.\r\n1. If continued access is required, the C2 server delivers a payload via option codes 1 or 3.\r\n2. If access is no longer needed, option code 9 terminates the malware's execution, removing all access\r\nsince the payload resides solely in memory.\r\nStage 3b - JavaScript Repository\r\nIf the targeted victims applied for a JavaScript role, they might instead encounter a “Cryptocurrency Dashboard”\r\nproject, similar to the example in Figure 6 below.\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 8 of 13\n\nFigure 6. JavaScript repository.\r\nThis application contains a .env file with the C2 and legitimate data source:\r\nPORT=3000\r\nCOINGECKO_API_URL=hxxps://api.coingecko[.]com/api/v3\r\nJQUERY_API_URL=hxxps://update.jquerycloud[.]io/api/v1\r\nThe COINGECKO_API_URL value is used to fetch data for the Cryptocurrency Dashboard while the\r\nJQUERY_API_URL value represents a C2 server controlled by Slow Pisces. Similar to the Python repository, the\r\nJavaScript C2 server only delivers payloads to validated targets, otherwise it responds with a version number.\r\nThe repository uses the Embedded JavaScript (EJS) templating tool, passing responses from the C2 server to the\r\nejs.render() function, shown below in Figure 7.\r\nFigure 7. JavaScript code showing the entry point of Slow Pisces’ malware using the EJS render\r\nfunction.\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 9 of 13\n\nLike the use of yaml.load(), this is another technique Slow Pisces employs to conceal execution of arbitrary code\r\nfrom its C2 servers, and this method is perhaps only apparent when viewing a valid payload.\r\nThe EJS render function accepts various parameters, one of which is called view options. Within this, arbitrary\r\nJavaScript code can be supplied and executed through the key escapeFunction.\r\nA Taiwanese researcher who goes by the handle Huli discussed the technical details of how this results in arbitrary\r\ncode execution in a CTF post. However, we can sufficiently understand that a payload structured as shown in\r\nFigure 8 will result in the code contained in escapeFunction being executed when passed to ejs.render().\r\nFigure 8. Partial EJS render payload.\r\nUnfortunately, we were not able to recover the full portion of this payload. As such, we can only surmise that a\r\nnew directory .jql is created under the user’s home directory where a file called helper.js is dropped, containing\r\nBase64-encoded data.\r\nInfrastructure\r\nThe timeline below in Figure 9 details the C2 infrastructure used in this campaign from February 2024-February\r\n2025, grouped by the type of repository served (JavaScript or Python).\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 10 of 13\n\nFigure 9. C2 infrastructure timeline.\r\nAs mentioned earlier, the domains in the infrastructure of this campaign can mimic the format of the legitimate\r\nsources used alongside them, frequently using subdomains like .api or .cdn. We have discovered infrastructure\r\nassociated with this campaign up to the time of this article.\r\nConclusion\r\nThis report has covered Slow Pisces’ most recent campaign, impersonating recruiters over LinkedIn to target\r\ndevelopers in the cryptocurrency sector with malicious coding challenges. While we were not able to recover the\r\nfull attack chain for JavaScript repositories, the Python version of the campaign delivered two new payloads that\r\nwe have named RN Loader and RN Stealer.\r\nUsing LinkedIn and GitHub in this manner is not unique. Multiple DPRK-affiliated groups have used similar\r\ntactics such as Alluring Pisces and Contagious Interview.\r\nThese groups feature no operational overlaps. However, these campaigns making use of similar initial infection\r\nvectors is noteworthy.\r\nSlow Pisces stands out from their peers’ campaigns in operational security. Delivery of payloads at each stage is\r\nheavily guarded, existing in memory only. And the group’s later stage tooling is only deployed when necessary.\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 11 of 13\n\nIn particular, the group made use of two techniques to conceal functionality:\r\nYAML deserialization\r\nEJS escapeFunction\r\nBoth of these techniques greatly hinder analysis, detection and hunting. Similarly, relatively new or inexperienced\r\ndevelopers in the cryptocurrency sector would have difficulty identifying these repositories as malicious.\r\nBased on public reports of cryptocurrency heists, this campaign appears highly successful and likely to persist in\r\n2025. While this article highlighted two potential detection opportunities for YAML deserialization and EJS\r\nescapeFunction payloads, the most effective mitigation remains strict segregation of corporate and personal\r\ndevices. This helps prevent the compromise of corporate systems from targeted social engineering campaigns.\r\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nAdvanced URL Filtering and Advanced DNS Security\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nDomain IP Address First Seen Last Seen Repository\r\ngetstockprice[.]com 70.34.245[.]118 2025-02-03 2025-02-20 Python\r\ncdn[.]clubinfo[.]io 5.206.227[.]51 2025-01-21 2025-02-19 Python\r\ngetstockprice[.]info 131.226.2[.]120 2025-01-21 2025-01-23 Python\r\napi[.]stockinfo[.]io 136.244.93[.]248 2024-10-30 2024-11-11 Python\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 12 of 13\n\ncdn[.]logoeye[.]net 54.39.83[.]151 2024-10-29 2024-11-03 Python\r\nen[.]wfinance[.]org 195.133.26[.]32 2024-10-12 2024-11-01 Python\r\nen[.]stocksindex[.]org 185.236.231[.]224 2024-09-11 2024-10-04 Python\r\ncdn[.]jqueryversion[.]net 194.11.226[.]16 2024-08-23 2024-09-23 JavaScript\r\nen[.]stockslab[.]org 91.103.140[.]191 2024-08-19 2024-09-12 Python\r\nupdate[.]jquerycloud[.]io 192.236.199[.]57 2024-07-03 2024-08-22 JavaScript\r\ncdn[.]soccerlab[.]io 146.70.124[.]70 2024-08-07 2024-08-21 Python\r\napi[.]coinpricehub[.]io 45.141.58[.]40 2024-05-06 2024-08-06 Java\r\ncdn[.]leaguehub[.]net 5.133.9[.]252 2024-07-15 2024-07-21 Python\r\ncdn[.]clublogos[.]io 146.19.173[.]29 2024-06-24 2024-07-12 Python\r\napi[.]jquery-release[.]com 146.70.125[.]120 2024-06-10 2024-06-28 JavaScript\r\ncdn[.]logosports[.]net 185.62.58[.]74 2024-05-08 2024-06-23 Python\r\nskypredict[.]org 80.82.77[.]80 2024-05-06 2024-06-16 JavaScript\r\napi[.]bitzone[.]io 192.248.145[.]210 2024-04-25 2024-05-13 Python\r\nweatherdatahub[.]org 194.15.112[.]200 2024-04-05 2024-05-03 JavaScript\r\napi[.]ethzone[.]io 91.234.199[.]90 2024-04-16 2024-04-24 Python\r\napi[.]fivebit[.]io 185.216.144[.]41 2024-04-08 2024-04-14 Python\r\nblockprices[.]io 91.193.18[.]201 2024-03-15 2024-04-09 JavaScript\r\napi[.]coinhar[.]io 185.62.58[.]122 2024-03-26 2024-04-09 Python\r\nmavenradar[.]com 23.254.230[.]253 2024-02-21 2024-03-26 JavaScript\r\nindobit[.]io 146.70.88[.]126 2024-03-19 2024-03-20 Python\r\napi[.]thaibit[.]io 79.137.248[.]193 2024-03-07 2024-03-09 Python\r\nchainanalyser[.]com 38.180.62[.]135 2024-02-23 2024-03-06 JavaScript\r\nSource: https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nhttps://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/" ], "report_names": [ "slow-pisces-new-custom-malware" ], "threat_actors": [ { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434017, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2621d3eca305604524ff853fde98838bed44deaa.pdf", "text": "https://archive.orkl.eu/2621d3eca305604524ff853fde98838bed44deaa.txt", "img": "https://archive.orkl.eu/2621d3eca305604524ff853fde98838bed44deaa.jpg" } }