Jumpy Pisces

Malware updated 23 days ago (2024-11-29T14:51:04.633Z)
Download STIX
Preview STIX
Jumpy Pisces, a North Korean state-sponsored malware group, has been identified as a key player in an unprecedented collaboration with an underground ransomware network. This marks a significant development in the cybersecurity landscape, as it's the first recorded instance of such cooperation between Jumpy Pisces and a ransomware network, specifically Play Ransomware. The extent of this partnership remains unclear; it is unknown whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted independently as an Initial Access Broker (IAB) selling network access to Play ransomware actors. If Play ransomware does not provide a Ransomware-as-a-Service (RaaS) ecosystem as claimed, it is likely that Jumpy Pisces functioned solely as an IAB. The intrusion event began in May 2024 when Jumpy Pisces gained initial access through a compromised user account. Subsequently, the same account was used to spread the Jumpy Pisces-linked toolset, including Sliver and DTrack, prior to the deployment of ransomware. Lateral movement and persistence were maintained by spreading these tools to other hosts via Server Message Block (SMB) protocol. The IP address and corresponding domain associated with this activity have both been linked to Jumpy Pisces, further solidifying their involvement in the incident. Our assessment, based on the evidence gathered, suggests with moderate confidence a degree of collaboration between Jumpy Pisces and Play Ransomware. This conclusion is drawn from the shared use of the compromised account, the distribution of Jumpy Pisces' unique malware, and the connection of known malicious IP addresses and domains to the group. This incident underscores the evolving threat posed by state-sponsored cyber groups and their potential alliances with criminal ransomware networks, necessitating vigilance and robust security measures.
Description last updated: 2024-10-30T16:02:16.925Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Andariel is a possible alias for Jumpy Pisces. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som
2
Reconnaissance General Bureau is a possible alias for Jumpy Pisces. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the Beagl
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Jumpy Vulnerability is associated with Jumpy Pisces. Jumpy Pisces, a North Korean state-sponsored group, has been linked to a significant cybersecurity incident involving the Play ransomware group, also known as Fiddling Scorpius. This marks the first recorded collaboration between these two entities, raising concerns about an evolving threat landscapUnspecified
2
Source Document References
Information about the Jumpy Pisces Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 months ago
Unit42
2 months ago
Unit42
3 months ago