Keypoints
- Jumpy Pisces, a North Korean state-sponsored group tied to the Reconnaissance General Bureau, was linked to an intrusion that preceded Play ransomware deployment.
- Initial access occurred via a compromised user account in May 2024 and the actors maintained access through September 2024.
- Attackers used Sliver (customized C2) and DTrack (infostealer) and moved files across hosts over SMB to spread and persist.
- Observed tooling included credential harvesting (Impacket/secretsdump.py and a Mimikatz variant), a trojanized browser-stealer, TokenPlayer, and PsExec-based privilege escalation.
- Sliver beaconing to IP 172.96.137[.]224 and domain americajobmail[.]site was observed until the day before ransomware deployment; DTrack execution was blocked by EDR.
- Unit 42 assesses with moderate confidence that Jumpy Pisces collaborated with or sold access to Play ransomware actors, representing a notable tactical shift.
MITRE Techniques
- [T1003] Credential Dumping – Used to harvest credentials with Impacket’s secretsdump.py and a customized Mimikatz (credential dump log at C:windowstempKB0722.log) (‘use of Impacket’s credential harvesting module, secretsdump.py.’).
- [T1105] Remote File Copy – Malware and tool binaries were copied to other hosts over SMB using the compromised account (‘copying malware files using SMB protocol.’).
- [T1071] Command and Control – Sliver was used for C2 communication, beaconing to a C2 server (172.96.137[.]224) (‘Use of Sliver for C2 communication.’).
- [T1068] Privilege Escalation – Attackers abused Windows access tokens and used PsExec to escalate privileges and move laterally (‘Abuse of Windows access tokens and escalation via PsExec.’).
- [T1203] Exploitation for Defense Evasion / Malware – Use of DTrack and Sliver for persistence, data collection, and lateral movement (‘Use of DTrack and Sliver malware.’).
Indicators of Compromise
- [SHA256 Hashes] Observed malicious file hashes – 243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7, 2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a, and 4 more hashes.
- [C2 IP / Domain] Sliver command-and-control – 172.96.137[.]224, americajobmail[.]site.
- [Code Signing Certificate] Trove of invalid certificates used to sign malicious files – SHA256 b4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f (Issuer: CN=LAMERA CORPORATION LIMITED), and SHA256 f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5 (Issuer: CN=Tableau Software Inc.).
- [File paths / artifacts] Credential dump and tool locations – C:windowstempKB0722.log (Mimikatz dump), C:UsersPublicMusic (TokenPlayer and other tools), and files saved to %TEMP% by a trojanized browser-stealer.
Unit 42 investigated an incident in which the North Korean state-linked group Jumpy Pisces gained access to a corporate network in May 2024 and maintained a foothold through early September 2024, culminating in the deployment of Play ransomware. The intrusion began when a legitimate user account was compromised and used to access a host through a firewall. Evidence collected from that host included partial registry dumps consistent with use of Impacket’s secretsdump.py, suggesting early credential harvesting activity.
Once inside, the operators spread a customized Sliver implant and the DTrack infostealer to additional systems by copying files over Server Message Block (SMB). The attackers used scripted SMB commands to move payloads to C$ shares on internal hosts. DTrack samples were observed but prevented from executing by the environment’s endpoint detection and response (EDR); Sliver, however, continued to beacon intermittently to a command-and-control server until early September. Unit 42 notes the Sliver implant contacted IP 172.96.137.224 and the domain americajobmail[.]site, both of which have prior links to Jumpy Pisces activity.
During the access window, the actors also employed credential collection and token abuse techniques. A customized Mimikatz variant produced a credential dump log at C:windowstempKB0722.log, while other tooling—such as a trojanized browser binary that scraped history, autofill entries, and card data—exfiltrated information saved to temporary directories. The team observed artifacts and tooling placed in C:UsersPublicMusic, including TokenPlayer used for Windows access token abuse, and saw PsExec used for privilege escalation and lateral movement in the lead-up to the ransomware event.
In early September an unidentified actor used the same compromised account to conduct pre-ransomware operations: renewed credential harvesting, escalation to SYSTEM, and widespread uninstallation of EDR sensors. These actions cleared the way for Play ransomware to be executed across affected systems. Unit 42 notes that Sliver C2 traffic ceased around the time Play ransomware activity began and that the Sliver C2 IP went offline following the ransomware deployment.
Files observed during the intrusion were often signed with fraudulent or invalid certificates that previously have been associated with Jumpy Pisces. Unit 42 cataloged certificate details and multiple SHA256 file hashes tied to the incident, and cataloged the Sliver C2 and associated domain as operational indicators. Although DTrack execution was blocked in this incident, its presence alongside Sliver demonstrates the attackers’ dual focus on data collection and maintaining persistent remote access.
Based on the overlap of the compromised account, the presence of Jumpy Pisces-linked tooling, Sliver beaconing up to the day before deployment, and shared TTPs with other Play incidents (for example, tool placement under C:UsersPublicMusic), Unit 42 assesses with moderate confidence that Jumpy Pisces either collaborated with Play ransomware operators or acted as an initial access broker selling access to them. It remains unclear whether Jumpy Pisces became an affiliate of Play or simply provided network access; either scenario represents a troubling evolution from espionage and selective cybercrime toward active participation in ransomware operations.
This incident is notable as the first documented instance of Jumpy Pisces working in conjunction with an underground ransomware network, a development that could herald increased North Korean participation in ransomware campaigns targeting a broad range of victims. Organizations should treat Jumpy Pisces activity as a potential precursor to ransomware and strengthen monitoring for credential harvesting, SMB-based file transfers, Sliver-like C2 beacons, and the misuse of administrative tools such as PsExec and TokenPlayer.
Read more: https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/