RN Loader
RN Loader is a Python-based malware loader used by the North Korean state-sponsored threat group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, in campaigns targeting cryptocurrency developers. In the reported activity, operators impersonated recruiters on LinkedIn and delivered trojanized coding challenges via GitHub repositories. In the Python infection chain, attacker-controlled data fetched from en.stockslab[.]org was deserialized through unsafe PyYAML yaml.load() usage, resulting in execution of a YAML payload that created ~/Public/init.py, wrote embedded Base64-decoded data to it, and executed it as RN Loader. The loader then deleted itself after execution so that it existed solely in memory. RN Loader sent basic victim and operating system information over HTTPS to the same C2 domain, en.stockslab[.]org, and entered a command loop. Reported command capabilities included sleeping, loading and executing a DLL or binary, executing Base64-decoded Python code via exec, launching files named dockerd and docker-init, and terminating execution. Unit 42 linked RN Loader to selective payload delivery against validated victims and recovered a later-stage Python infostealer, RN Stealer, delivered through the loader. Associated hashes mentioned in the reporting are SHA256 937c533bddb8bbcd908b62f2bf48e5bc11160505df20fea91d9600d999eafa79 for RN Loader and SHA256 47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f for the preceding YAML deserialization payload. Supporting reporting also describes RN Loader and RN Stealer as part of a malware arsenal used to harvest SSH keys, saved credentials, and cloud service configurations from compromised developer workstations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The YAML deserialization payload executes malware we have named RN Loader and RN Stealer based on the C2 token format we observed in RN Stealer. ... This newly created file for RN Loader at ~/Public/__init__.py deletes itself after execution, ensuring that it exists solely in memory. It sends basic information about the victim machine and operating system over HTTPS to the same C2 at en.stockslab[.]org, followed by a command loop.
The YAML deserialization payload executes malware we have named RN Loader and RN Stealer based on the C2 token format we observed in RN Stealer. ... This newly created file for RN Loader at ~/Public/__init__.py deletes itself after execution, ensuring that it exists solely in memory. It sends basic information about the victim machine and operating system over HTTPS to the same C2 at en.stockslab[.]org, followed by a command loop.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
“...posing as potential employers and sending malware disguised as coding challenges... require developers to run a compromised project...” ; “...ran the script without inspecting its contents... hidden malware... credentials... stolen...”
Slow Pisces began by impersonating recruiters on LinkedIn and engaging with potential targets, sending them a benign PDF with a job description... attackers presented them with a coding challenge... which links to a GitHub repository.
Execution
1 technique
Execution
Stealth
3 techniques
Stealth
The repositories contained code adapted from open-source projects... The malicious command-and-control (C2) server is configured to mimic the format of the legitimate sources... domains... frequently using subdomains like .api or .cdn.
Discovery
1 technique
Discovery
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RN Loader is a Python-based loader used by TraderTraitor to deliver second-stage payloads to compromised systems, often as part of a multi-stage attack chain targeting developers and cloud environments.
Loader malware used by North Korean threat actors to infect systems, typically as part of a multi-stage attack targeting cryptocurrency developers.
Malware used in a developer-targeting social engineering campaign (coding-challenge lure) to infect systems and likely stage/fetch additional payloads.
Memory-resident loader used in Slow Pisces' malicious coding challenge campaign. It self-deletes after execution, beacons system information to C2, and supports commands to sleep, download and load DLL/binaries, execute Python code, launch additional payloads, or terminate.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.