The North Korea-linked hacking group responsible for the Bybit exchange breach in February 2025 is now targeting crypto currency developers through a stealthy campaign disguised as coding challenges. The threat actor, tracked as Slow Pisces—also known by aliases such as Jade Sleet, TraderTraitor, PUKCHONG, and UNC4899—has been linked to this new wave of attacks by Palo Alto Networks’ Unit 42.
According to security researcher Prashil Pattni, the group is luring developers on LinkedIn by posing as recruiters and sending fake job offers. Victims are then asked to complete a coding task, which involves running a trojanized project containing two malware variants: RN Loader and RN Stealer.
These attacks primarily target developers in the cryptocurrency and blockchain industries. The coding challenge often begins with a seemingly harmless PDF document describing the task and linking to a GitHub-hosted project. Running this project compromises the developer’s machine.
A Familiar Yet Sophisticated Playbook
This method isn’t new. In July 2023, GitHub disclosed that similar tactics were used to deliver malicious npm packages. And in June, Mandiant detailed how attackers sent a clean PDF followed by a compromised Python project, which disguised itself as a crypto price viewer but actually downloaded second-stage malware based on system criteria like IP address, geolocation, and HTTP headers.
The latest campaign sticks to that same strategy. By carefully validating each victim before delivering malicious payloads, Slow Pisces avoids detection and maintains strict operational control.
RN Loader and RN Stealer: What They Do
Once executed, RN Loader collects basic system information and transmits it over HTTPS to a remote server. If the victim meets predefined criteria, the server sends a second-stage payload—a Base64-encoded blob that executes the RN Stealer malware.
RN Stealer is capable of harvesting sensitive data from Apple macOS systems, including:
- System metadata
- Installed applications
- Directory contents
- iCloud Keychain data
- Stored SSH keys
- AWS, Kubernetes, and Google Cloud configuration files
This comprehensive data theft enables attackers to assess the value of continued access and possibly expand their intrusion.
Developers applying for JavaScript roles have been directed to download a “Cryptocurrency Dashboard” project, which includes an embedded JavaScript (EJS) templating tool. Malicious commands are passed to the ejs.render() function—an evasive method to hide arbitrary code execution from casual inspection.
Similar tactics are used in Python-based attacks, where YAML deserialization (yaml.load()) is leveraged to execute hidden payloads.
Broader Trend of Job-Themed Lures other than Crypto Related
The campaign bears similarities to previous North Korea-sponsored operations like Operation Dream Job, Contagious Interview, and Alluring Pisces, all of which use fake job offers to infiltrate systems. However, Unit 42 notes that Slow Pisces is uniquely stealthy, with multi-stage malware that often runs entirely in memory and deploys final-stage tools only when necessary.
“Unlike broader phishing campaigns, this one is highly targeted,” said Pattni. “The attackers only deliver payloads to validated victims, allowing them to control each step and reduce the risk of exposure.”
