RN Stealer
RN Stealer is a Python-based information stealer associated with the North Korea-linked threat actor TraderTraitor, a Lazarus Group subgroup also tracked as Slow Pisces, Jade Sleet, PUKCHONG, and UNC4899. Public reporting describes it as part of the actor’s malware arsenal alongside RN Loader, and notes its use in campaigns targeting cryptocurrency developers and software developers through fake job offers, malicious coding challenges, and compromised projects. Unit 42 reported the malware being used by Slow Pisces against cryptocurrency developers via fake Python coding challenges, while other reporting states victims were infected after running compromised projects. High-confidence reporting says RN Stealer is designed to harvest SSH keys, saved credentials, and cloud service configurations from compromised developer workstations. The broader TraderTraitor intrusion chain uses social engineering on platforms such as LinkedIn, Telegram, and Discord, often leveraging GitHub and npm to deliver malicious payloads. Reported targeting includes blockchain organizations, cryptocurrency exchanges, cloud service providers, and developer environments. RN Stealer is also mentioned in reporting on TraderTraitor activity alongside GolangGhost, Manuscrypt, DRATzarus, PostNapTea, Volgmer, and wAgentTea.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer.
These challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique“...posing as potential employers and sending malware disguised as coding challenges... require developers to run a compromised project...” ; “...ran the script without inspecting its contents... hidden malware... credentials... stolen...”
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named stealer referenced in TraderTraitor-related reporting.
RN Stealer is a Python-based information stealer used by TraderTraitor to harvest SSH keys, saved credentials, and cloud service configurations from compromised developer workstations, facilitating further compromise of cloud assets.
Stealer malware deployed by North Korean threat actors to exfiltrate sensitive data from infected cryptocurrency developers' systems.
Information-stealing malware used against cryptocurrency developers via a coding-challenge lure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.