Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

SUMMARY :

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining access to supply chain vendors and their customers. The malware, named PondRAT, shares similarities with POOLRAT, a known tool in Gleaming Pisces' arsenal. The infection chain involves several stages of encoded code execution, ultimately downloading and running the RAT. Similarities in code structure, function names, and encryption keys between PondRAT and previously attributed malware strengthen the connection to Gleaming Pisces. The research also revealed Linux variants of POOLRAT, expanding the group's cross-platform capabilities.

OPENCTI LABELS :

rat,macos,cryptocurrency,poolrat,pondrat,applejeus


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors