Gleaming Pisces

Threat Actor updated a month ago (2024-10-17T13:04:15.428Z)

Download STIX

Preview STIX

Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the traditional hacker preference for Windows. Gleaming Pisces has previously distributed the MacOS remote administration tool POOLRAT (also known as SIMPLESEA), which boasts standard capabilities such as listing directories and deleting files. The group's typical audience appears to be users of these non-Windows operating systems. Recently, researchers have discovered a new malware called PondRAT being distributed by Gleaming Pisces through tainted Python packages. Further analysis revealed that PondRAT shares significant characteristics with POOLRAT, another known MacOS RAT in the arsenal of Gleaming Pisces. In addition, PondRAT bears notable similarities to the MacOS malware used in the previous AppleJeus campaign attributed to Gleaming Pisces. This suggests a continued evolution and refinement of the group's malicious software tools, demonstrating their ongoing threat potential. The discovery of additional Linux variants of POOLRAT indicates that Gleaming Pisces is enhancing its capabilities across both Linux and MacOS platforms. This conclusion is supported by the fact that the malware authors wrote it specifically for MacOS and Linux systems, further underscoring the group's shift away from Windows. As Gleaming Pisces continues to expand its reach and improve its malware arsenal, it remains a significant cybersecurity threat, particularly for entities in the cryptocurrency industry.

Description last updated: 2024-10-17T12:19:00.942Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Citrine Sleet is a possible alias for Gleaming Pisces. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybe	3
AppleJeus is a possible alias for Gleaming Pisces. AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency tradi	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Linux

Macos

Python

Tool

Backdoor

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Poolrat Malware is associated with Gleaming Pisces. POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspe	has used	3
The Pondrat Malware is associated with Gleaming Pisces. PondRAT is a type of malware, specifically a Remote Access Trojan (RAT) variant, that targets Linux and macOS systems. It was first identified in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign, according to a report by the Cybersecurity & Infr	has used	2

Source Document References

Information about the Gleaming Pisces Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
Securityaffairs	2 months ago	Security Affairs newsletter Round 491 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	North Korea-linked APT Gleaming Pisces deliver new PondRAT backdoor via malicious Python packages
DARKReading	2 months ago	Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware
Unit42	2 months ago	Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors