North Korean advanced persistent threat operation Gleaming Pisces, which is believed to be a sub-cluster of the Lazarus Group, leveraged malicious Python Package Index packages to facilitate the deployment of the new PondRAT malware, which has been noted to be a more compact iteration of the POOLRAT macOS backdoor, according to The Hacker News.
All four of the poisoned packages, which have already been removed from the PyPI repository, enabled encoded next-stage payload execution before deploying PondRAT for Linux and macOS, which have file upload and download, as well as arbitrary command execution capabilities, a report from Palo Alto Networks Unit 42 showed. Gleaming Pisces, also known as Labyrinth Chollima, Citrine Sleet, Nickel Academy, and UNC4736, has also launched more Linux versions of the POOLRAT trojan. "The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network," said Unit 42.