Threat Research

Pisces Campaign Unleashes PondRAT Backdoors for Linux and MacOS via Poisoned Python Packages

Unit42

Unit 42 researchers track PondRAT, a Linux and macOS backdoor delivered through poisoned Python packages uploaded to PyPI, linked to the Gleaming Pisces North Korea‑affiliated threat actor. The campaign targets supply‑chain vendors via developers’ endpoints and shows code similarities to POOLRAT and AppleJeus, indicating a broader Gleaming Pisces operation. #PondRAT #POOLRAT #GleamingPisces #AppleJeus #NorthKorea

Keypoints

  • Ongoing poisoned Python packages campaign delivering backdoors named PondRAT.
  • Linked to Gleaming Pisces, a North Korea–affiliated threat actor.
  • PondRAT is a lighter version of POOLRAT, a macOS RAT also attributed to Gleaming Pisces.
  • Poisoned packages were uploaded to PyPI, a popular open-source repository.
  • Campaign aims to compromise supply chain vendors via developers’ endpoints to reach customers.
  • Significant code similarities found between PondRAT and POOLRAT, as well as with prior Gleaming Pisces malware (AppleJeus).
  • Palo Alto Networks products provide protections against PondRAT/POOLRAT variants.

MITRE Techniques

  • [T1071.001] Application Layer Protocol – “Utilizing poisoned Python packages to deliver malware.”
  • [T1203] Exploitation for Client Execution – “Malicious code executed after installation of poisoned packages.”
  • [T1053] Scheduled Task/Job – “Malware maintains persistence through scheduled tasks.”
  • [T1071] Application Layer Protocol – “Communicates with C2 servers to receive commands.”
  • [T1041] Exfiltration – “Data is exfiltrated through the established C2 channel.”

Indicators of Compromise

  • [SHA256] PondRAT Linux variant – 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
  • [SHA256] PondRAT macOS variant – 0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7, 3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e and 3 more hashes
  • [Domain] PondRAT C2s – jdkgradle[.]com, rebelthumb[.]net
  • [SHA256] POOLRAT Linux variant – 5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456, f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703
  • [Domain] POOLRAT C2s – www.talesseries[.]com/write.php, rgedist[.]com/sfxl.php

Read more: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint