Gleaming Pisces

Threat Actor updated 17 days ago (2024-10-17T13:04:15.428Z)
Download STIX
Preview STIX
Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the traditional hacker preference for Windows. Gleaming Pisces has previously distributed the MacOS remote administration tool POOLRAT (also known as SIMPLESEA), which boasts standard capabilities such as listing directories and deleting files. The group's typical audience appears to be users of these non-Windows operating systems. Recently, researchers have discovered a new malware called PondRAT being distributed by Gleaming Pisces through tainted Python packages. Further analysis revealed that PondRAT shares significant characteristics with POOLRAT, another known MacOS RAT in the arsenal of Gleaming Pisces. In addition, PondRAT bears notable similarities to the MacOS malware used in the previous AppleJeus campaign attributed to Gleaming Pisces. This suggests a continued evolution and refinement of the group's malicious software tools, demonstrating their ongoing threat potential. The discovery of additional Linux variants of POOLRAT indicates that Gleaming Pisces is enhancing its capabilities across both Linux and MacOS platforms. This conclusion is supported by the fact that the malware authors wrote it specifically for MacOS and Linux systems, further underscoring the group's shift away from Windows. As Gleaming Pisces continues to expand its reach and improve its malware arsenal, it remains a significant cybersecurity threat, particularly for entities in the cryptocurrency industry.
Description last updated: 2024-10-17T12:19:00.942Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Citrine Sleet is a possible alias for Gleaming Pisces. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybe
3
AppleJeus is a possible alias for Gleaming Pisces. AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency tradi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Linux
Macos
Python
Tool
Backdoor
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Poolrat Malware is associated with Gleaming Pisces. POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspehas used
3
The Pondrat Malware is associated with Gleaming Pisces. PondRAT is a type of malware, specifically a Remote Access Trojan (RAT) variant, that targets Linux and macOS systems. It was first identified in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign, according to a report by the Cybersecurity & Infrhas used
2
Source Document References
Information about the Gleaming Pisces Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more