RN Loader
RN Loader is malware used in campaigns attributed to the North Korea-linked threat actor TraderTraitor, also tracked as Slow Pisces, Jade Sleet, PUKCHONG, and UNC4899, a subgroup within the Lazarus Group operating under North Korea’s Reconnaissance General Bureau. It is described as part of the group’s malware arsenal alongside RN Stealer and is specifically associated with operations targeting cryptocurrency developers, blockchain organizations, cryptocurrency exchanges, and cloud service providers.
The reported infection vector is social engineering: victims are approached on platforms such as LinkedIn, Telegram, or Discord with fake job offers or coding challenges, including malicious Python coding challenges hosted on GitHub. Developers are induced to run a compromised project, after which RN Loader and RN Stealer infect the victim system. The malware family is described as Python-based information-stealing tooling designed to harvest SSH keys, saved credentials, and cloud service configurations from compromised developer workstations. Supporting reporting also states TraderTraitor uses legitimate platforms such as GitHub and npm to deliver malicious payloads, and that its malware ecosystem uses hardcoded command-and-control URLs and AES-256 encryption.
High-confidence context in the source links RN Loader to broader TraderTraitor operations involving compromise of developer environments, theft of cloud credentials and session tokens, reconnaissance of cloud environments including IAM roles and S3 buckets, and persistence attempts such as registering virtual MFA devices. The content does not provide specific file hashes, domains, IP addresses, or other direct IOCs for RN Loader itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer.
These challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique“...posing as potential employers and sending malware disguised as coding challenges... require developers to run a compromised project...” ; “...ran the script without inspecting its contents... hidden malware... credentials... stolen...”
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RN Loader is a Python-based loader used by TraderTraitor to deliver second-stage payloads to compromised systems, often as part of a multi-stage attack chain targeting developers and cloud environments.
Loader malware used by North Korean threat actors to infect systems, typically as part of a multi-stage attack targeting cryptocurrency developers.
Malware used in a developer-targeting social engineering campaign (coding-challenge lure) to infect systems and likely stage/fetch additional payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.