Pisces

Pisces is a sophisticated malware attributed to the North Korean Advanced Persistent Threat (APT) group, Gleaming Pisces. This malicious software has been linked to multiple cyber-espionage campaigns and is known for its capability to exploit and damage computer systems across various platforms. Pisces can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware has evolved over time, with evidence of additional Linux variants of a related malware, POOLRAT, indicating that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms. The connection between Pisces and other malware such as PondRAT and POOLRAT has been established through extensive research and analysis. Investigations have revealed that PondRAT shares code similarities with POOLRAT, another malware previously attributed to Gleaming Pisces. Moreover, an examination of the Linux variant of PondRAT, dropped as the final payload in one of the campaigns, showed significant similarities to other malware attributed to Gleaming Pisces, including kupayupdate_stage2. These findings further strengthen the attribution of these campaigns to Gleaming Pisces. The 27th Colloquium featured the 2023 Conference on Cybersecurity Education, Research and Practice (CCERP), where the 5th Annual PISCES academic workshop was held. During this event, discussions included comparisons of PondRAT to previous Gleaming Pisces attributed malware and the poisoned Python packages campaign tied to the Gleaming Pisces APT group. Additionally, ESET identified similarities between POOLRAT and a backdoor called BADCALL for Linux, also attributed to Gleaming Pisces. This ongoing research and analysis continue to shed light on the evolving threat landscape posed by the Gleaming Pisces APT group and their associated malware.