{"id":168781,"date":"2024-09-23T12:50:11","date_gmt":"2024-09-23T12:50:11","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=168781"},"modified":"2024-09-23T12:50:14","modified_gmt":"2024-09-23T12:50:14","slug":"gleaming-pisces-malicious-python-packages","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/168781\/apt\/gleaming-pisces-malicious-python-packages.html","title":{"rendered":"North Korea-linked APT Gleaming Pisces deliver new PondRAT backdoor via malicious Python packages"},"content":{"rendered":"
<\/div>\n

North Korea-linked APT group Gleaming Pisces is distributing a new malware called PondRAT through tainted Python packages.<\/h2>\n\n\n\n

Unit 42 researchers uncovered an ongoing campaign distributing Linux and macOS malwar PondRAT through poisoned Python packages. The campaign is attributed to North Korea-linked threat actor Gleaming Pisces (also known as Citrine Sleet<\/a>), who previously distributed the macOS remote administration tool POOLRAT (aka SIMPLESEA<\/a>). PondRAT appears to be a lighter variant of POOLRAT. The attackers uploaded malicious packages to the Python repository PyPI. Threat actors attempted to compromise developers’ systems and, in turn, the supply chain vendors and their customers. <\/p>\n\n\n\n

North Korea-linked APT Gleaming Pisces has been active since at least 2018, it is known for sophisticated attacks against the cryptocurrency industry.<\/p>\n\n\n\n

Researchers discovered that the PondRAT malware shares significant similarities with macOS malware used in a previous AppleJeus<\/a> campaign attributed to the Gleaming Pisces APT group. These similarities include overlapping code structures, identical function names, encryption keys, and similar execution flows. The attribution of this campaign to the same threat actor is based on the fact that PondRAT is closely related to POOLRAT macOS remote access tool.<\/p>\n\n\n\n

The researchers identified the following malware-laced packages in PyPI repository, which have been already removed:<\/gwmw><\/p>\n\n\n\n