← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors
WHITE Gleaming Pisces AlienVault 2026-05-04 Modified: 2026-05-04
33
IOCs
MEDIUM VOLUME
An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance General Bureau. The campaign delivered PondRAT, identified as a lighter version of the known POOLRAT remote administration tool. Multiple malicious packages including real-ids, coloredtxt, beautifultext, and minisound were used to establish an evasive infection chain. The threat actor aims to compromise supply chain vendors through developer endpoints to ultimately access their customers' systems. Code analysis reveals significant similarities between PondRAT and previously attributed Gleaming Pisces malware, including identical function names, encryption keys, and execution flows. Both Linux and macOS variants were identified, demonstrating the group's expanding cross-platform capabilities targeting the cryptocurrenc...
pypipondratsupply chain attackcitrine sleetapplejeuspoolratbadcall
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
PondRAT POOLRAT kupayupdate_stage2 BADCALL - S0245 AppleJeus - S0584
Indicators of Compromise (33)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2025-55182 2026-05-04
FileHash-MD5 05957d98a75c04597649295dc846682d 2026-05-04
FileHash-MD5 33c9a47debdb07824c6c51e13740bdfe 2026-05-04
FileHash-MD5 4c66950d791ff5d39d53ffcd0b52a64d 2026-05-04
FileHash-MD5 61d7b2c7814971e5323ec67b3a3d7f45 2026-05-04
FileHash-MD5 6f2f61783a4a59449db4ba37211fa331 2026-05-04
FileHash-MD5 b62c912de846e743effdf7e5654a7605 2026-05-04
FileHash-MD5 ce35c935dcc9d55b2c79945bac77dc8e 2026-05-04
FileHash-MD5 f50c83a4147b86cdb20cc1fbae458865 2026-05-04
FileHash-SHA1 676537b0f7707feae0130bbcbdc881f5b4eb3f03 2026-05-04
FileHash-SHA1 6f391d282a37b770abcedd08c4c0e2156076cd8e 2026-05-04
FileHash-SHA1 720e6abf3befb585164450325246fe9cb000268f 2026-05-04
FileHash-SHA1 7637ee2925c88110fc15a77c120bf70dc66e84a7 2026-05-04
FileHash-SHA1 7b6e6487b803bbe85d7466b89da51a269fa4fc29 2026-05-04
FileHash-SHA1 8027c1d1ac0fd7d40ee850119c6d4501fbe75eab 2026-05-04
FileHash-SHA1 8a030a03570134cee4659b1b1f666f6f48c27fa5 2026-05-04
FileHash-SHA1 dd5bb0609b92163d8834a37a517885ce0b512938 2026-05-04
FileHash-SHA256 0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7 2026-05-04
FileHash-SHA256 3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e 2026-05-04
FileHash-SHA256 5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456 2026-05-04
FileHash-SHA256 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 2026-05-04
FileHash-SHA256 91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd 2026-05-04
FileHash-SHA256 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c 2026-05-04
FileHash-SHA256 bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80 2026-05-04
FileHash-SHA256 bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b 2026-05-04
FileHash-SHA256 cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86 2026-05-04
FileHash-SHA256 f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703 2026-05-04
URL http://rgedist.com/sfxl.php 2026-05-04
URL http://www.talesseries.com/write.php 2026-05-04
domain jdkgradle.com 2026-05-04
domain rebelthumb.net 2026-05-04
domain rgedist.com 2026-05-04
hostname www.talesseries.com 2026-05-04
References (1)
↗ https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?pdf=print&lg=en&_wpnonce=7681ade9ed