A new wave of cyberattacks linked to North Korean threat actors is taking aim at software developers by embedding malicious code in Python packages. The malware, named PondRAT, is part of an ongoing operation that continues to exploit unsuspecting users.
According to fresh reports from Palo Alto Networks Unit 42, PondRAT is identified as a streamlined variant of POOLRAT (also known as SIMPLESEA), a macOS backdoor previously attributed to the infamous Lazarus Group. POOLRAT was notably involved in last year’s 3CX supply chain compromise.
These malicious activities appear connected to a long-running campaign known as Operation Dream Job, in which hackers entice victims with seemingly legitimate job offers, coaxing them into downloading malware.
“In this campaign, the attackers uploaded several compromised Python packages to PyPI, a widely-used repository for open-source Python projects,” noted Unit 42 researcher Yoav Zemah. He tied the malicious actions to a threat actor identified as Gleaming Pisces, with moderate confidence.
This particular adversary, also known by names such as Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, represents a sub-group within the Lazarus Group. They have previously distributed the AppleJeus malware in similar attacks.
The ultimate goal? To gain access to developers’ systems and leverage that access to infiltrate the networks of their clients and partners—essentially turning trusted software developers into unwitting agents of compromise.
Though the malicious packages have now been removed from PyPI, they include:
- real-ids (893 downloads)
- coloredtxt (381 downloads)
- beautifultext (736 downloads)
- minisound (416 downloads)
The infection process is relatively straightforward. Once developers download and install these packages, the malware executes an encoded payload that fetches Linux and macOS versions of the RAT (Remote Access Trojan) malware from a remote server.
Further dissection of PondRAT shows notable parallels to POOLRAT and AppleJeus, and attackers have also been observed distributing new Linux variants of POOLRAT.
“The Linux and macOS versions of POOLRAT utilize an almost identical method for loading their configurations, sharing similar function names and functionality,” Zemah explained. “Both variants have near-identical strings and methods for executing commands received from the command-and-control (C2) server.”
PondRAT, being a slimmer iteration of POOLRAT, retains essential capabilities such as file upload/download, the ability to pause operations for defined time intervals, and the execution of arbitrary commands.
“The appearance of additional Linux versions of POOLRAT shows that Gleaming Pisces has been advancing its reach across both Linux and macOS ecosystems,” Unit 42 remarked.
The threat posed by these seemingly legitimate Python packages is vast. Installing these malicious third-party libraries can lead to widespread malware infections capable of undermining an entire network’s security infrastructure.
This disclosure also coincides with another alarming development. KnowBe4—a cybersecurity company—was reportedly deceived into hiring a North Korean threat actor as an employee. The firm noted that over a dozen organizations either employed North Korean agents or were swamped by fraudulent job applications, as North Korean operatives sought to embed themselves in global companies.
CrowdStrike, a prominent cybersecurity firm, tracks this activity under the label Famous Chollima, describing it as a nation-state operation of an industrial scale. The firm warns that companies with remote workforces are at heightened risk from such operations, which are both sophisticated and deeply embedded.