North Korea30 malware families

TraderTraitor

Also known asjade sleetslow_piscesTraderTraitorUNC4899

TraderTraitor is a North Korean state-sponsored threat actor focused primarily on generating revenue for the DPRK regime by targeting the cryptocurrency and decentralized finance sector. The group is also tracked as Jade Sleet, Slow Pisces, UNC4899, and PUKCHONG, and multiple sources in the content describe it as a subgroup or subset of the Lazarus Group. Reported targeting includes cryptocurrency exchanges, DeFi platforms, virtual asset service providers, and cryptocurrency developers. The content describes TraderTraitor using social engineering extensively, including fake recruiter personas and approaches over LinkedIn and Telegram, as well as malicious coding challenges and trojanized GitHub repositories aimed at developers. Observed malware delivery and execution techniques include malicious npm and PyPI packages, unsafe PyYAML deserialization in Python projects, and JavaScript execution abuse through EJS rendering. Associated payloads and tooling described in the content include RN Loader, RN Stealer, and post-compromise malware used to steal credentials, cloud configuration, SSH keys, macOS keychains, browser data, and environment variables. The group is also described as using selective payload delivery, anti-analysis checks, memory-resident tooling, and operational patience. The actor is linked in the content to major cryptocurrency theft operations. The FBI attributed the February 2025 theft of approximately $1.5 billion in virtual assets from Bybit to TraderTraitor. Multiple reports in the content also attribute the April 2026 KelpDAO / LayerZero exploit, valued at roughly $292 million, to TraderTraitor / UNC4899 with high confidence, describing compromise of infrastructure involved in cross-chain verification and subsequent laundering through services including THORChain, Wasabi, Tornado Cash, and Umbra. The content also references TraderTraitor in connection with Safe{Wallet} compromise activity and broader DPRK supply-chain and infrastructure clusters, including overlaps or pivots to AppleJeus-related infrastructure. The group is described as laundering stolen assets across thousands of blockchain addresses and converting funds across chains and asset types. The FBI specifically called on RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions involving TraderTraitor-linked laundering addresses.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services

MITRE ATT&CK

Tradecraft

59 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics72 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1589

Gather Victim Identity Information

TA0042

Resource Development

4 techniques

T1583

Acquire Infrastructure

T1583.003

Virtual Private Server

T1584

Compromise Infrastructure

T1586

Compromise Accounts

T1588

Obtain Capabilities

TA0001

Initial Access

5 techniques

T1078×3

Valid Accounts

T1078.004

Cloud Accounts

T1133

External Remote Services

T1195×4

Supply Chain Compromise

T1195.001

Compromise Software Dependencies and Development Tools

T1199×5

Trusted Relationship

T1566×2

Phishing

T1566.001

Spearphishing Attachment

T1566.002×2

Spearphishing Link

T1566.003×3

Spearphishing via Service

TA0002

Execution

6 techniques

T1059

Command and Scripting Interpreter

T1059.006×2

Python

T1059.007×3

JavaScript

T1127

Trusted Developer Utilities Proxy Execution

T1203

Exploitation for Client Execution

T1204×2

User Execution

T1204.002

Malicious File

T1574×2

Hijack Execution Flow

T1651

Cloud Administration Command

TA0003

Persistence

3 techniques

T1078×3

Valid Accounts

T1078.004

Cloud Accounts

T1133

External Remote Services

T1556×2

Modify Authentication Process

TA0004

Privilege Escalation

2 techniques

T1068

Exploitation for Privilege Escalation

T1078×3

Valid Accounts

T1078.004

Cloud Accounts

TA0005

Stealth

9 techniques

T1027

Obfuscated Files or Information

T1036×3

Masquerading

T1070×2

Indicator Removal

T1070.004×2

File Deletion

T1070.009

Clear Persistence

T1078×3

Valid Accounts

T1078.004

Cloud Accounts

T1127

Trusted Developer Utilities Proxy Execution

T1497

Virtualization/Sandbox Evasion

T1574×2

Hijack Execution Flow

T1612

Build Image on Host

T1620

Reflective Code Loading

TA0112

Defense Impairment

1 technique

T1556×2

Modify Authentication Process

TA0006

Credential Access

3 techniques

T1528×2

Steal Application Access Token

T1556×2

Modify Authentication Process

T1649×4

Steal or Forge Authentication Certificates

TA0007

Discovery

4 techniques

T1082×2

System Information Discovery

T1083

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

T1526×2

Cloud Service Discovery

TA0008

Lateral Movement

1 technique

T1210

Exploitation of Remote Services

TA0011

Command and Control

7 techniques

T1001

Data Obfuscation

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090×3

Proxy

T1090.003×2

Multi-hop Proxy

T1102

Web Service

T1102.001

Dead Drop Resolver

T1105×3

Ingress Tool Transfer

T1219

Remote Access Tools

T1568

Dynamic Resolution

T1568.003

DNS Calculation

TA0010

Exfiltration

3 techniques

T1041×2

Exfiltration Over C2 Channel

T1537

Transfer Data to Cloud Account

T1567

Exfiltration Over Web Service

TA0040

Impact

5 techniques

T1496

Resource Hijacking

T1498

Network Denial of Service

T1499×4

Endpoint Denial of Service

T1565×4

Data Manipulation

T1657

Financial Theft

ARSENAL

Associated malware families

30 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

RN LoaderThe YAML deserialization payload executes malware we have named RN Loader and RN Stealer based on the C2 token format we observed in RN Stealer. ... This newly created file for RN Loader at ~/Public/__init__.py deletes itself after execution, ensuring that it exists solely in memory. It sends basic information about the victim machine and operating system over HTTPS to the same C2 at en.stockslab[.]org, followed by a command loop.3Jun 14, 2026

RN StealerHowever, we recovered a Python-based infostealer delivered by option 2, and we track this malware as RN Stealer. RN Stealer first generates a random victim ID, subsequently used as a cookie in all communications to the C2 server. It then requests an XOR key from the server for encrypting exfiltrated data.3Jun 14, 2026

BeaverTailThe campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.2May 1, 2026

FudModuleThe 2022 introduction of Fudmodule advanced capabilities through direct kernel manipulation and zero-day exploitation in vulnerable drivers, Chrome, and Windows.2Mar 8, 2026

OtterCookieThe campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.2May 1, 2026

25 additional families tracked in Mallory.

IOCS

Observables

89 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

89 IOCsView more in app

hash.sha1

56 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+48

uri

14 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+6

hash.sha256

7 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

7 total

Domains

4 total

••••••.com•••••••.ru••••••••.com•••••••••.net

hash.md5

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

proofpointNews

Jun 5, 2026

Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency | Proofpoint US

North Korea-aligned activity targeting cryptocurrency and decentralized finance organizations and developers using fake recruiter personas and malicious npm/PyPI packages.

thedefiantNews

Jun 1, 2026

Kelp DAO Hacker Has Laundered Nearly All $220M in Unfrozen Funds, Closing the Recovery Window - "The Defiant"

Attributed as the DPRK-linked actor behind the April Kelp DAO/LayerZero bridge exploit and tied to a parallel major crypto heist; the group laundered stolen funds through THORChain, Wasabi, Tornado Cash, and Umbra.

thedefiantNews

May 20, 2026

LayerZero's Incident Report Says Kelp Downgraded From 2-of-2 to 1-of-1 DVN Before $292M Exploit - "The Defiant"

Attributed with high confidence to the six-week compromise and exploit of the KelpDAO rsETH bridge, involving social engineering of a developer, malware deployment on macOS, theft of session keys, access to LayerZero RPC infrastructure, malicious modification of op-geth on Kubernetes clusters, and forged bridge attestations that enabled release of approximately $292M in rsETH.

lazarusholic blueskyNews

May 20, 2026

Post by @lazarusholic.bsky.social - Bluesky

Referenced in connection with the LayerZero Labs KelpDAO incident report.

+194 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping59

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal30

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables89

Domains, IPs, and hashes tied to this actor, refreshed continuously.