<\/a><\/figure>\n\n\n\nThe analysis of the POOLRAT revealed that the Linux and macOS versions use an identical function structure for loading their configurations, including similar method names and functionality. Experts speculate the Linux versions borrow the code from the macOS malware one.<\/p>\n\n\n\n
Analysis of PondRAT samples revealed that its command handler shares similarities with POOLRAT. PondRAT supports basic commands to upload and download files, check if the implant is active, pause operations (“sleep”), and execute commands, with the option to retrieve output. The PondRAT’s functionality is similar but more limited compared to POOLRAT, for this reason, researchers labeled PondRAT is a lighter version of POOLRAT.<\/p>\n\n\n\n
“The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms.” concludes the report.<\/em><\/p>\n\n\n\n
“The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Such attacks pose a great risk because they can easily remain under the radar and pose detection challenges. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network.”<\/em><\/p>\n\n\n\n