Jumpy

False Positive updated 4 months ago (2025-02-19T22:31:38.481Z)
Download STIX
Preview STIX
Jumpy Pisces, a North Korean state-sponsored group, has been linked to a significant cybersecurity incident involving the Play ransomware group, also known as Fiddling Scorpius. This marks the first recorded collaboration between these two entities, raising concerns about an evolving threat landscape. The assessment of this collaboration was based on several key factors, including the use of the same compromised account for initial access and subsequent spreading of Jumpy Pisces-linked toolset (such as Sliver and DTrack) prior to the ransomware deployment. The files used in this attack impersonated ones created by legitimate entities, enabled by certificates previously linked to Jumpy Pisces. The intrusion led to the deployment of Play ransomware, but it remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted independently by selling network access to Play ransomware actors. If Play ransomware does not provide a Ransomware-as-a-Service (RaaS) ecosystem as it claims, Jumpy Pisces might only have acted as an independent access broker (IAB). Despite these uncertainties, there is moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group. In early September, an unidentified threat actor entered the network through the same compromised user account used by Jumpy Pisces. The group carried out lateral movement and maintained persistence by spreading the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via Server Message Block (SMB) protocol. Both the IP address and the corresponding domain involved in the attack have been linked to Jumpy Pisces, further solidifying the connection between the group and this incident.
Description last updated: 2024-10-30T16:02:40.165Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Jumpy False Positive was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
8 months ago
Unit42
8 months ago