{ "id": "a0aa18aa-7895-44fa-878e-de9e86abadad", "created_at": "2026-04-06T00:20:11.486868Z", "updated_at": "2026-04-10T03:35:53.305438Z", "deleted_at": null, "sha1_hash": "83dbf3ac01f347dcb82ecea7b4e3f259049662d8", "title": "Jumpy Pisces Engages in Play Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 264568, "plain_text": "Jumpy Pisces Engages in Play Ransomware\r\nBy Unit 42\r\nPublished: 2024-10-30 · Archived: 2026-04-05 15:10:48 UTC\r\nExecutive Summary\r\nUnit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the\r\nReconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident.\r\nOur investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy\r\nPisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).\r\nThis change marks the first observed instance of the group using existing ransomware infrastructure, potentially\r\nacting as an initial access broker (IAB) or an affiliate of the Play ransomware group. This shift in their tactics,\r\ntechniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape.\r\nJumpy Pisces, also known as Andariel and Onyx Sleet, was historically involved in cyberespionage, financial\r\ncrime and ransomware attacks. The group was indicted by the U.S Justice Department for deploying custom-developed ransomware, Maui.\r\nWe expect their attacks will increasingly target a wide range of victims globally. Network defenders should view\r\nJumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for\r\nheightened vigilance.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through the following\r\nproducts:\r\nCortex XDR and XSIAM\r\nAdvanced WildFire\r\nAdvanced URL Filtering and Advanced DNS Security\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nJumpy Pisces’ Intrusion Leads to Play Ransomware\r\nIn early September 2024, Unit 42 engaged in incident response services for a client impacted by Play ransomware.\r\nPlay ransomware was first reported in mid-2022. A closed group we track as Fiddling Scorpius is believed to be\r\noperating this threat, for both developing and executing the attacks.\r\nSome suggest that Fiddling Scorpius has transitioned to a ransomware-as-a-service (RaaS) model. However, the\r\ngroup has announced on its Play ransomware leak site that it does not provide a RaaS ecosystem.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/\r\nPage 1 of 5\n\nDuring our investigation, we discovered with high confidence that the North Korean state-sponsored threat group\r\nJumpy Pisces gained initial access via a compromised user account in May 2024. Jumpy Pisces carried out lateral\r\nmovement and maintained persistence by spreading the open-source tool Sliver and their unique custom malware,\r\nDTrack, to other hosts via Server Message Block (SMB) protocol.\r\nThese remote tools continued to communicate with their command-and-control (C2) server until early September.\r\nThis ultimately led to the deployment of Play ransomware.\r\nThreat actors had access to the network between May-September 2024. Figure 1 shows an overview of the events\r\nfrom this time frame.\r\nAttack Lifecycle – Timeline of Events\r\nFigure 1. High-level timeline of events.\r\nWe observed the earliest signs of unauthorized activity at the end of May 2024. A compromised user account\r\naccessed a particular host through a firewall device. Partial registry dumps on the host indicate possible use of\r\nImpacket's credential harvesting module, secretsdump.py.\r\nAttackers copied files associated with the Sliver and DTrack malware family to various hosts using the\r\ncompromised account over SMB, with the following commands:\r\ncmd /c net use \\\\\u003cInternal IP\u003e\\C$ \u003cAccount Password\u003e /user:\u003cNetwork Domain\u003e\\\u003cAccount Username\u003e\r\ncmd /c copy \u003cPath to malware\u003e \\\\\u003cInternal IP\u003e\\C$\\\u003cPath to malware\u003e\r\nDTrack execution was blocked by the endpoint detection and response (EDR) solution. However, we did observe\r\nSliver beaconing activity spanning multiple days until early September 2024, with quiet periods in July and\r\nsporadically on other days.\r\nIn early September, an unidentified threat actor entered the network through the same compromised user account\r\nused by Jumpy Pisces. They carried out pre-ransomware activities including credential harvesting, privilege\r\nescalation and the uninstallation of EDR sensors, which eventually led to the deployment of Play ransomware.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/\r\nPage 2 of 5\n\nThreat Actor Tooling\r\nWe observed the following tools and malware during the attack timeline up to the day before the attackers\r\ndeployed the ransomware. Note that some of the suspicious files observed did not successfully execute, or were\r\nnot recoverable at the time of investigation.\r\nSliver: Attackers used a customized version of the open-source, red-teaming tool for C2 purposes. This tool\r\nis often seen as an alternative to Cobalt Strike. This customized version beacons to the IP address\r\n172.96.137[.]224. This IP address has been flagged as a Sliver C2. Both the IP address and the\r\ncorresponding domain americajobmail[.]site have been linked to Jumpy Pisces.\r\nDTrack: This is an infostealer previously used in reported incidents attributed to North Korean threat\r\ngroups. The data it collects is compressed and disguised as a GIF file.\r\nAttackers used a dedicated tool built to create a privileged user account on victim machines with Remote\r\nDesktop Protocol (RDP) enabled.\r\nMimikatz: Attackers used a customized version of the publicly available credential dumping tool, with\r\nC:\\windows\\temp\\KB0722.log as its credential dump log.\r\nAttackers used a trojanized binary that steals browser history, autofills and credit card details for Chrome,\r\nEdge and Brave internet browsers. The scraped information is saved in a file in %TEMP% directory.\r\nAll the above-mentioned files were signed using a couple of invalid certificates that we note in the Indicators of\r\nCompromise section of this article. These certificates, previously linked to Jumpy Pisces, enabled the files to\r\nimpersonate ones created by legitimate entities.\r\nAssessment of Jumpy Pisces – Play Ransomware Collaboration\r\nWe assess with moderate confidence a degree of collaboration between Jumpy Pisces and Play Ransomware in\r\nthis incident, based on the following factors:\r\nThe compromised account that attackers used for initial access and subsequent spreading of the Jumpy\r\nPisces-linked toolset (e.g., Sliver and DTrack), was the same one used prior to ransomware deployment.\r\nThe ransomware actor leveraged the account to abuse Windows access tokens, move laterally and escalate\r\nto SYSTEM privileges via PsExec. This eventually led to the mass uninstallation of EDR sensors and the\r\nonset of Play ransomware activity.\r\nAs highlighted previously, we observed Sliver C2 communication until the day before ransomware\r\ndeployment. Furthermore, our research also suggests that the C2 IP address 172.96.137[.]224 has been\r\noffline since the day attackers deployed Play ransomware in this incident.\r\nAdlumin’s report on Play ransomware suggests various commonalities in TTPs across multiple attacks\r\nthey’ve tracked. One such TTP was the presence of its tools in the folder C:\\Users\\Public\\Music. We\r\nobserved some tools used prior to ransomware deployment (i.e., TokenPlayer for Windows access token\r\nabuse, and PsExec) both located in C:\\Users\\Public\\Music.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/\r\nPage 3 of 5\n\nIt remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as\r\nan IAB by selling network access to Play ransomware actors. If Play ransomware does not provide a RaaS\r\necosystem as it claims, Jumpy Pisces might only have acted as an IAB.\r\nEither way, this incident is significant because it marks the first recorded collaboration between the Jumpy Pisces\r\nNorth Korean state-sponsored group and an underground ransomware network. This development could indicate a\r\nfuture trend where North Korean threat groups will increasingly participate in broader ransomware campaigns,\r\npotentially leading to more widespread and damaging attacks globally.\r\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the known samples as\r\nmalicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with\r\nthis activity as malicious.\r\nCortex XDR detects and prevents all samples mentioned in this article.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Hashes\r\n243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7\r\n2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a\r\nf64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5\r\n99e2ebf8cec6a0cea57e591ac1ca56dd5d505c2c3fc8f4c3da8fb8ad49f1527e\r\nb4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f\r\nb1ac26dac205973cd1288a38265835eda9b9ff2edc6bd7c6cb9dee4891c9b449\r\nSliver C2 Server Information\r\n172.96.137[.]224\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/\r\nPage 4 of 5\n\namericajobmail[.]site\r\nCode Signing Certificate Details\r\nSHA256 hash: b4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f\r\nChain: 6e95d94d5d8ed2275559256c5fb5fc6d01da6b46\r\nIssuer: CN=LAMERA CORPORATION LIMITED\r\nNotBefore: 2/10/2022 9:44 PM\r\nNotAfter: 12/31/2039 4:59 PM\r\nSubject: CN=LAMERA CORPORATION LIMITED\r\nSerial: 879fa942f9f097b74fd6f7dabcf1745a\r\nCert: 6e95d94d5d8ed2275559256c5fb5fc6d01da6b46\r\nSHA256 hash: f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5\r\nChain: 6624c7b8faac176d1c1cb10b03e7ee58a4853f91\r\nIssuer: CN=Tableau Software Inc.\r\nNotBefore: 5/27/2023 11:15 AM\r\nNotAfter: 12/31/2039 4:59 PM\r\nSubject: CN=Tableau Software Inc.\r\nSerial: 76cb5d1e6c2b6895428115705d9ac765\r\nCert: 6624c7b8faac176d1c1cb10b03e7ee58a4853f91\r\nAdditional Resources\r\nThreat Actor Groups Tracked by Palo Alto Networks Unit 42 – Unit 42, Palo Alto Networks\r\nNorth Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S.\r\nHospitals and Health Care Providers – U.S. Department of Justice\r\nPlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers –\r\nAdlumin\r\nStonefly: Extortion Attacks Continue Against U.S. Targets – Symantec, Broadcom\r\nOnyx Sleet uses array of malware to gather intelligence for North Korea – Microsoft\r\nNorth Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public\r\nHealth Sector – Cybersecurity and Infrastructure Security Agency (CISA)\r\n#StopRansomware: Play Ransomware – Cybersecurity and Infrastructure Security Agency (CISA)\r\nAndariel deploys DTrack and Maui ransomware – Kaspersky\r\nSource: https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/" ], "report_names": [ "north-korean-threat-group-play-ransomware" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "9afb532d-6183-46ed-a638-595c9e49056b", "created_at": "2024-06-19T02:03:08.032166Z", "updated_at": "2026-04-10T02:00:03.700322Z", "deleted_at": null, "main_name": "GOLD ENCORE", "aliases": [ "Balloonfly ", "Fiddling Scorpius " ], "source_name": "Secureworks:GOLD ENCORE", "tools": [ "ADFind", "Bloodhound", "Cobalt Strike", "GMER", "Grixba", "Mimikatz", "Nekto", "Play", "Plink", "PowerTool", "Process Hacker", "PsExec", "SystemBC", "WinRAR", "WinSCP", "Winpeas" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434811, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83dbf3ac01f347dcb82ecea7b4e3f259049662d8.pdf", "text": "https://archive.orkl.eu/83dbf3ac01f347dcb82ecea7b4e3f259049662d8.txt", "img": "https://archive.orkl.eu/83dbf3ac01f347dcb82ecea7b4e3f259049662d8.jpg" } }