Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Description

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining access to supply chain vendors and their customers. The malware, named PondRAT, shares similarities with POOLRAT, a known tool in Gleaming Pisces' arsenal. The infection chain involves several stages of encoded code execution, ultimately downloading and running the RAT. Similarities in code structure, function names, and encryption keys between PondRAT and previously attributed malware strengthen the connection to Gleaming Pisces. The research also revealed Linux variants of POOLRAT, expanding the group's cross-platform capabilities.