← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
WHITE Gleaming Pisces AlienVault 2024-09-19 Modified: 2024-09-19
38
IOCs
MEDIUM VOLUME
Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining access to supply chain vendors and their customers. The malware, named PondRAT, shares similarities with POOLRAT, a known tool in Gleaming Pisces' arsenal. The infection chain involves several stages of encoded code execution, ultimately downloading and running the RAT. Similarities in code structure, function names, and encryption keys between PondRAT and previously attributed malware strengthen the connection to Gleaming Pisces. The research also revealed Linux variants of POOLRAT, expanding the group's cross-platform capabilities.
pondratpoolratmacosratcryptocurrencyapplejeus
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
PondRAT POOLRAT AppleJeus - S0584
Indicators of Compromise (38)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2024-3094 2024-09-19
CVE CVE-2024-3400 2024-09-19
FileHash-MD5 05957d98a75c04597649295dc846682d 2024-09-19
FileHash-MD5 17ab2927a235a0b98480945285767bcf 2024-09-19
FileHash-MD5 33c9a47debdb07824c6c51e13740bdfe 2024-09-19
FileHash-MD5 451c23709ecd5a8461ad060f6346930c 2024-09-19
FileHash-MD5 4c66950d791ff5d39d53ffcd0b52a64d 2024-09-19
FileHash-MD5 61d7b2c7814971e5323ec67b3a3d7f45 2024-09-19
FileHash-MD5 6f2f61783a4a59449db4ba37211fa331 2024-09-19
FileHash-MD5 b62c912de846e743effdf7e5654a7605 2024-09-19
FileHash-MD5 ce35c935dcc9d55b2c79945bac77dc8e 2024-09-19
FileHash-MD5 f50c83a4147b86cdb20cc1fbae458865 2024-09-19
FileHash-SHA1 58b0516d28bd7218b1908fb266b8fe7582e22a5f 2024-09-19
FileHash-SHA1 676537b0f7707feae0130bbcbdc881f5b4eb3f03 2024-09-19
FileHash-SHA1 6f391d282a37b770abcedd08c4c0e2156076cd8e 2024-09-19
FileHash-SHA1 720e6abf3befb585164450325246fe9cb000268f 2024-09-19
FileHash-SHA1 7637ee2925c88110fc15a77c120bf70dc66e84a7 2024-09-19
FileHash-SHA1 7b6e6487b803bbe85d7466b89da51a269fa4fc29 2024-09-19
FileHash-SHA1 8027c1d1ac0fd7d40ee850119c6d4501fbe75eab 2024-09-19
FileHash-SHA1 8a030a03570134cee4659b1b1f666f6f48c27fa5 2024-09-19
FileHash-SHA1 d4b96e9d966b0f1e9ff1ef61a8d09c9020254652 2024-09-19
FileHash-SHA1 dd5bb0609b92163d8834a37a517885ce0b512938 2024-09-19
FileHash-SHA256 0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7 2024-09-19
FileHash-SHA256 3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e 2024-09-19
FileHash-SHA256 5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456 2024-09-19
FileHash-SHA256 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 2024-09-19
FileHash-SHA256 91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd 2024-09-19
FileHash-SHA256 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c 2024-09-19
FileHash-SHA256 bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80 2024-09-19
FileHash-SHA256 bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b 2024-09-19
FileHash-SHA256 cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86 2024-09-19
FileHash-SHA256 f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703 2024-09-19
URL http://rgedist.com/sfxl.php 2024-09-19
URL http://www.talesseries.com/write.php 2024-09-19
domain jdkgradle.com 2024-09-19
domain rebelthumb.net 2024-09-19
domain rgedist.com 2024-09-19
hostname www.talesseries.com 2024-09-19
References (1)
↗ https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat