{"id":141786,"date":"2025-04-14T14:13:41","date_gmt":"2025-04-14T21:13:41","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=141786"},"modified":"2025-06-19T11:04:31","modified_gmt":"2025-06-19T18:04:31","slug":"slow-pisces-new-custom-malware","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/","title":{"rendered":"Slow Pisces mira desenvolvedores com desafios de programa\u00e7\u00e3o e introduz um novo malware em linguagem Python personalizado"},"content":{"rendered":"<p><a id=\"post-141786-_heading=h.2w8g3cz65qwl\"><\/a><strong>Resumo executivo<\/strong><\/p>\n<p>Slow Pisces (tamb\u00e9m conhecido como Jade Sleet, TraderTraitor, PUKCHONG) \u00e9 um grupo de amea\u00e7as patrocinado pelo estado norte-coreano, cujo foco principal \u00e9 gerar receita para o regime da RPDC, geralmente visando grandes organiza\u00e7\u00f5es no setor de criptomoedas. Este artigo analisa a campanha do grupo, a qual acreditamos estar relacionada a roubos recentes de criptomoedas.<\/p>\n<p>Nessa campanha, o <a href=\"https:\/\/unit42.paloaltonetworks.com\/threat-actor-groups-tracked-by-palo-alto-networks-unit-42\/#:~:text=Slow%20Pisces%20is%20North%20Korea%27s%20nation%20state%20threat%20group%20under%20Reconnaissance%20General%20Bureau%20(RGB)%20of%20DPRK.%20It%27s%20believed%20to%20be%20a%20spin%2Doff%20from%20the%20Lazarus%20group%20with%20focus%20on%20financial%20gathering%20and%20crypto%20industry%20targeting%20goals\" target=\"_blank\" rel=\"noopener\">Slow Pisces<\/a> se envolveu com desenvolvedores de criptomoedas no LinkedIn, fazendo-se passar por poss\u00edveis empregadores e enviando malware disfar\u00e7ado de desafios de programa\u00e7\u00e3o. Esses desafios exigem que os desenvolvedores executem um projeto comprometido, infectando seus sistemas usando um malware que denominamos RN Loader e RN Stealer.<\/p>\n<p>O grupo teria roubado mais de <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/security-insider\/microsoft-digital-defense-report-2023\" target=\"_blank\" rel=\"noopener\">US$ 1 bilh\u00e3o do setor de criptomoedas em 2023<\/a>. Eles conseguiram isso usando v\u00e1rios m\u00e9todos, incluindo <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa22-108a\" target=\"_blank\" rel=\"noopener\">plataformas falsas de negocia\u00e7\u00e3o e trading<\/a>, malware distribu\u00eddo por meio do <a href=\"https:\/\/github.blog\/security\/vulnerability-research\/security-alert-social-engineering-campaign-targets-technology-industry-employees\/\" target=\"_blank\" rel=\"noopener\">Node Package Manager (NPM)<\/a> e <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/north-korea-supply-chain\" target=\"_blank\" rel=\"noopener\">comprometimentos da cadeia de suprimentos<\/a>.<\/p>\n<p>Em dezembro de 2024, <a href=\"https:\/\/www.fbi.gov\/news\/press-releases\/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom\" target=\"_blank\" rel=\"noopener\">o FBI atribuiu<\/a> o roubo de US$ 308 milh\u00f5es de uma empresa de criptomoedas com sede no Jap\u00e3o ao Slow Pisces. Mais recentemente, o grupo ganhou as manchetes por seu suposto envolvimento no <a href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250226\" target=\"_blank\" rel=\"noopener\">roubo de US$ 1,5 bilh\u00e3o<\/a> de uma bolsa de criptomoedas de Dubai.<\/p>\n<p>Compartilhamos nossa intelig\u00eancia de amea\u00e7as com analistas do GitHub e do LinkedIn para derrubar as contas e os reposit\u00f3rios relevantes.<\/p>\n<p>Eles forneceram a seguinte declara\u00e7\u00e3o em resposta:<\/p>\n<p style=\"padding-left: 40px;\"><em>O GitHub e o LinkedIn removeram essas contas maliciosas por violarem nossos respectivos termos de servi\u00e7o. Em todos os nossos produtos, usamos tecnologia automatizada, combinada com equipes de especialistas em investiga\u00e7\u00e3o e reportes de membros, para combater atores mal-intencionados e fazer cumprir os termos de servi\u00e7o. Continuamos a evoluir e a melhorar nossos processos e incentivamos nossos clientes e membros a reportarem qualquer atividade suspeita.<\/em><\/p>\n<p style=\"padding-left: 40px;\"><strong><em>Informa\u00e7\u00f5es adicionais<\/em><\/strong><\/p>\n<ul>\n<li><i><span style=\"font-weight: 400;\">Os usu\u00e1rios do GitHub podem encontrar mais informa\u00e7\u00f5es <\/span><\/i><span style=\"font-weight: 400;\">nas p\u00e1ginas<\/span> <i><span style=\"font-weight: 400;\">\u00a0<\/span><\/i><a href=\"https:\/\/urldefense.proofpoint.com\/v2\/url?u=https-3A__docs.github.com_en_site-2Dpolicy_acceptable-2Duse-2Dpolicies_github-2Dacceptable-2Duse-2Dpolicies&amp;d=DwMGaQ&amp;c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&amp;r=_lIJbiuLEsecGC88yMz56rH6l-Y5OB28uwt-Y9Xz4rE&amp;m=UGRFdaU0cIscSEQoBgGwJQdMeZgVigbcDnGPmHQpONBJ7WMaQJJPO7CyDeS05g6u&amp;s=Q3c625ggV3WuLxlSWstf7yxNVIxr6RXfLqXEs4YQhfI&amp;e=\" target=\"_blank\" rel=\"noopener\"><i><span style=\"font-weight: 400;\">Pol\u00edticas de Uso Aceit\u00e1vel<\/span><\/i><\/a><i><span style=\"font-weight: 400;\"> e <\/span><\/i><a href=\"https:\/\/urldefense.proofpoint.com\/v2\/url?u=https-3A__docs.github.com_en_communities_maintaining-2Dyour-2Dsafety-2Don-2Dgithub_reporting-2Dabuse-2Dor-2Dspam&amp;d=DwMGaQ&amp;c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&amp;r=_lIJbiuLEsecGC88yMz56rH6l-Y5OB28uwt-Y9Xz4rE&amp;m=UGRFdaU0cIscSEQoBgGwJQdMeZgVigbcDnGPmHQpONBJ7WMaQJJPO7CyDeS05g6u&amp;s=w_rzmUGqBolbje6bXMIl06IDbCkfN_csSaR7Aw6f9hA&amp;e=\" target=\"_blank\" rel=\"noopener\"><i><span style=\"font-weight: 400;\">reportar abuso e spam<\/span><\/i><\/a><i><span style=\"font-weight: 400;\">.<\/span><\/i><\/li>\n<li><i>Os usu\u00e1rios do LinkedIn podem saber mais sobre como identificar e denunciar abusos aqui: <\/i><a href=\"https:\/\/urldefense.proofpoint.com\/v2\/url?u=https-3A__www.linkedin.com_help_linkedin_answer_a1344213&amp;d=DwMGaQ&amp;c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&amp;r=_lIJbiuLEsecGC88yMz56rH6l-Y5OB28uwt-Y9Xz4rE&amp;m=UGRFdaU0cIscSEQoBgGwJQdMeZgVigbcDnGPmHQpONBJ7WMaQJJPO7CyDeS05g6u&amp;s=MWowAjuRradajHCOP9WGk5AkD3krn1yWpFfUQ4gm1EA&amp;e=\" target=\"_blank\" rel=\"noopener\"><i>Reconhecer e denunciar spam, conte\u00fado inadequado e abusivo | Ajuda do LinkedIn.<\/i><\/a><\/li>\n<\/ul>\n<p>Este relat\u00f3rio detalha como o Slow Pisces oculta o malware em seus desafios de programa\u00e7\u00e3o e descreve as ferramentas subsequentes do grupo, com o objetivo de fornecer para a ind\u00fastria em geral uma melhor compreens\u00e3o dessa amea\u00e7a.<\/p>\n<p>Os clientes da Palo Alto Networks est\u00e3o mais bem protegidos contra as amea\u00e7as discutidas neste artigo por meio de nosso <a href=\"https:\/\/docs.paloaltonetworks.com\/ngfw\" target=\"_blank\" rel=\"noopener\">Firewall de pr\u00f3xima gera\u00e7\u00e3o<\/a> (\u201cNext-Generation Firewall\u201d) com assinaturas <a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-url-filtering\/administration\" target=\"_blank\" rel=\"noopener\">Advanced URL Filtering<\/a> e <a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\">Advanced DNS Security<\/a> .<\/p>\n<p>Se voc\u00ea acha que pode ter sido comprometido ou tem um assunto urgente, entre em contato com a <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">equipe de resposta a incidentes da Unit 42<\/a>.<\/p>\n<table style=\"width: 90.1422%;\">\n<thead>\n<tr style=\"height: 24px;\">\n<td style=\"width: 35%; height: 24px;\"><b>T\u00f3picos relacionados da Unit 42<\/b><\/td>\n<td style=\"width: 205.091%; height: 24px;\"><b><a href=\"https:\/\/unit42.paloaltonetworks.com\/pt-br\/tag\/cryptocurrency-pt-br\/\" target=\"_blank\" rel=\"noopener\">Criptomoedas<\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/pt-br\/tag\/dprk-pt-br\/\">RPDC<\/a><\/b><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2><strong>An\u00e1lise t\u00e9cnica<\/strong><\/h2>\n<p>Nossa visibilidade dessa campanha segue, em linhas gerais, tr\u00eas etapas, ilustradas abaixo na Figura 1.<\/p>\n<figure id=\"attachment_141947\" aria-describedby=\"caption-attachment-141947\" style=\"width: 800px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141947 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/2476_Diagrams-3-716x440.png\" alt=\"Diagrama que ilustra amea\u00e7as de seguran\u00e7a cibern\u00e9tica envolvendo iscas de PDF, reposit\u00f3rios do GitHub e um servidor C2. Ele mostra: 1) arquivos PDF, como descri\u00e7\u00f5es de cargos e folhas de perguntas, atuando como iscas, 2) reposit\u00f3rios GitHub JavaScript e Python com v\u00e1rias APIs externas, potencialmente obtendo dados maliciosos, e 3) um servidor C2 configurado para enviar dados benignos ou uma carga maliciosa sob certas condi\u00e7\u00f5es. Os logotipos da Palo Alto Networks e da UNIT 42 est\u00e3o inclu\u00eddos.\" width=\"800\" height=\"492\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/2476_Diagrams-3-716x440.png 716w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/2476_Diagrams-3-1139x700.png 1139w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/2476_Diagrams-3-768x472.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/2476_Diagrams-3.png 1206w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-141947\" class=\"wp-caption-text\">Figura 1. Vis\u00e3o geral da campanha \"desafios de programa\u00e7\u00e3o\" do Slow Pisces.<\/figcaption><\/figure>\n<h3><strong>Etapa 1 - Iscas em PDF<\/strong><\/h3>\n<p>O Slow Pisces come\u00e7ou se passando por recrutadores no LinkedIn e se envolvendo com alvos em potencial, enviando-lhes um PDF benigno com uma descri\u00e7\u00e3o de emprego, conforme mostrado abaixo na Figura 2. Se os poss\u00edveis alvos se candidatassem, os atacantes apresentavam a eles um desafio de programa\u00e7\u00e3o que consistia em v\u00e1rias tarefas descritas em uma folha de perguntas.<\/p>\n<figure id=\"attachment_141798\" aria-describedby=\"caption-attachment-141798\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141798 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-649309-141786-2.png\" alt=\"Imagem exibindo dois documentos lado a lado. \u00c0 esquerda, uma \u201cDescri\u00e7\u00e3o de cargo\u201d para um coordenador de equipe de design de UX. \u00c0 direita, uma \u201cFolha de perguntas\u201d contendo perguntas t\u00e9cnicas e gerais relacionadas ao design de experi\u00eancia do usu\u00e1rio (UX).\" width=\"1000\" height=\"715\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-649309-141786-2.png 1580w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-649309-141786-2-615x440.png 615w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-649309-141786-2-979x700.png 979w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-649309-141786-2-768x549.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-649309-141786-2-1536x1099.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-141798\" class=\"wp-caption-text\">Figura 2. Iscas em PDFs benignos.<\/figcaption><\/figure>\n<p>Observamos o Slow Pisces se passando por v\u00e1rias organiza\u00e7\u00f5es com essas iscas, principalmente no setor de criptomoedas. As folhas de perguntas inclu\u00edam tarefas gen\u00e9ricas de desenvolvimento de software e um desafio de programa\u00e7\u00e3o de um \"projeto real\", relacionado a um reposit\u00f3rio do GitHub mostrado na Figura 3 abaixo.<\/p>\n<figure id=\"attachment_141809\" aria-describedby=\"caption-attachment-141809\" style=\"width: 800px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141809 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-652998-141786-3.png\" alt=\"Captura de tela de um documento intitulado \u201cCoding and Problem-Solving Skills With Real Project\u201d (Habilidades de codifica\u00e7\u00e3o e solu\u00e7\u00e3o de problemas com projeto real). Ele inclui um link para um reposit\u00f3rio do GitHub e descreve uma tarefa de codifica\u00e7\u00e3o envolvendo taxas de c\u00e2mbio de Bitcoin e Ethereum de fontes de API. O texto solicita aprimoramentos no projeto, adicionando mais APIs de mercado e melhorando a comunica\u00e7\u00e3o de rede no c\u00f3digo.\" width=\"800\" height=\"408\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-652998-141786-3.png 1942w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-652998-141786-3-786x401.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-652998-141786-3-1373x700.png 1373w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-652998-141786-3-768x392.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-652998-141786-3-1536x783.png 1536w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-141809\" class=\"wp-caption-text\">Figura 3. Desafio de programa\u00e7\u00e3o de um \"projeto real\" contido na isca PDF.<\/figcaption><\/figure>\n<h3><strong>Etapa 2 - Reposit\u00f3rios do GitHub<\/strong><\/h3>\n<p>O Slow Pisces apresentou aos alvos os chamados desafios de programa\u00e7\u00e3o como projetos de reposit\u00f3rios do GitHub. Os reposit\u00f3rios continham c\u00f3digos adaptados de projetos de c\u00f3digo aberto, incluindo aplicativos para visualiza\u00e7\u00e3o e an\u00e1lise:<\/p>\n<ul>\n<li>Dados do mercado de a\u00e7\u00f5es<\/li>\n<li>Estat\u00edsticas das ligas de futebol europeias<\/li>\n<li>Dados meteorol\u00f3gicos<\/li>\n<li>Pre\u00e7os de criptomoedas<\/li>\n<\/ul>\n<p>O grupo usou principalmente projetos em Python ou JavaScript, provavelmente dependendo do fato de o alvo ter se candidatado a uma fun\u00e7\u00e3o de desenvolvimento de front-end ou back-end. Tamb\u00e9m vimos reposit\u00f3rios baseados em Java nessa campanha, embora fossem muito menos comuns, com apenas duas inst\u00e2ncias representando um aplicativo de criptomoedas chamado jCoin.<\/p>\n<p>Essa escassez sugere que os invasores podem ter criado reposit\u00f3rios sob demanda, com base na linguagem de programa\u00e7\u00e3o preferida do alvo. Consequentemente, o grupo usou com mais frequ\u00eancia as linguagens mais populares no setor de criptomoedas, como JavaScript e Python. Da mesma forma, reposit\u00f3rios n\u00e3o descobertos tamb\u00e9m podem existir para outras linguagens de programa\u00e7\u00e3o.<\/p>\n<h3><strong>Etapa 3a - Reposit\u00f3rio Python<\/strong><\/h3>\n<p>No final de 2024, o grupo usou um projeto mostrado abaixo na Figura 4, intitulado \"Stocks Pattern Analyzer\", adaptado de um <a href=\"https:\/\/github.com\/gaborvecsei\/Stocks-Pattern-Analyzer\" target=\"_blank\" rel=\"noopener\">reposit\u00f3rio leg\u00edtimo<\/a>.<\/p>\n<figure id=\"attachment_141820\" aria-describedby=\"caption-attachment-141820\" style=\"width: 700px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141820 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-656839-141786-4.png\" alt=\"Captura de tela de um reposit\u00f3rio do GitHub chamado \u201cStocks Pattern Analyzer\u201d mostrando a estrutura do arquivo \u00e0 esquerda e o conte\u00fado do arquivo README \u00e0 direita, explicando como executar o aplicativo diretamente e com o Docker.\" width=\"700\" height=\"363\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-656839-141786-4.png 1992w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-656839-141786-4-786x408.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-656839-141786-4-1349x700.png 1349w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-656839-141786-4-768x399.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-656839-141786-4-1536x797.png 1536w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-141820\" class=\"wp-caption-text\">Figura 4. Reposit\u00f3rio Python \"Stocks Pattern Analyzer\".<\/figcaption><\/figure>\n<p>A maior parte do c\u00f3digo no reposit\u00f3rio \u00e9 benigna. Quando os alvos tentam executar o projeto de acordo com a folha de perguntas, dados s\u00e3o obtidos de tr\u00eas locais remotos:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/en.wikipedia[.]org\/wiki\/List_of_S%26P_500_companies<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/en.wikipedia[.]org\/wiki\/Currency_pair<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/en.stockslab[.]org\/symbols\/sp500<\/span><\/li>\n<\/ul>\n<p>Duas das URLs extraem dados da Wikipedia. A terceira URL usa um dom\u00ednio controlado pelo Slow Pisces. Esse padr\u00e3o \u2014 usar v\u00e1rias fontes de dados, a maioria leg\u00edtima, mas uma maliciosa \u2014 \u00e9 comum nos reposit\u00f3rios Python do grupo.<\/p>\n<p>O servidor mal-intencionado de comando e controle (C2) \u00e9 configurado para imitar o formato das fontes leg\u00edtimas. Nesse caso, ele usa o subdom\u00ednio <span style=\"font-family: 'courier new', courier, monospace;\">.en<\/span> e o dom\u00ednio de n\u00edvel superior (TLD) <span style=\"font-family: 'courier new', courier, monospace;\">.org<\/span> , como vemos no dom\u00ednio leg\u00edtimo da Wikip\u00e9dia acima.<\/p>\n<h4><strong><em>Desserializa\u00e7\u00e3o de YAML<\/em><\/strong><\/h4>\n<p>O Slow Pisces poderia simplesmente colocar o malware diretamente no reposit\u00f3rio ou executar o c\u00f3digo do servidor C2 usando as fun\u00e7\u00f5es internas <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/docs.python.org\/3\/library\/functions.html#eval\" target=\"_blank\" rel=\"noopener\">eval<\/a><\/span> ou <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/docs.python.org\/3\/library\/functions.html#exec\" target=\"_blank\" rel=\"noopener\">exec<\/a><\/span> do Python. No entanto, essas t\u00e9cnicas s\u00e3o facilmente detectadas, tanto por inspe\u00e7\u00e3o manual quanto por solu\u00e7\u00f5es antiv\u00edrus.<\/p>\n<p>Em vez disso, o Slow Pisces primeiro garante que o servidor C2 responda com dados v\u00e1lidos do aplicativo. Por exemplo, o reposit\u00f3rio mencionado acima espera uma lista de s\u00edmbolos de empresas S&amp;P 500. A URL C2 responde inicialmente com esses dados em uma lista formatada em JSON.<\/p>\n<p>Os atores de amea\u00e7a enviam apenas uma carga maliciosa para alvos validados, provavelmente com base no endere\u00e7o IP, na geolocaliza\u00e7\u00e3o, no hor\u00e1rio e nos cabe\u00e7alhos de solicita\u00e7\u00e3o HTTP. O foco em indiv\u00edduos contatados via LinkedIn, em oposi\u00e7\u00e3o a campanhas amplas de phishing, permite que o grupo controle rigidamente os est\u00e1gios posteriores da campanha e entregue payloads apenas \u00e0s v\u00edtimas esperadas.<\/p>\n<p>Para evitar as fun\u00e7\u00f5es suspeitas <span style=\"font-family: 'courier new', courier, monospace;\">eval<\/span> e <span style=\"font-family: 'courier new', courier, monospace;\">exec<\/span> , o Slow Pisces usa <a href=\"https:\/\/net-square.com\/yaml-deserialization-attack-in-python.html\" target=\"_blank\" rel=\"noopener\">desserializa\u00e7\u00e3o YAML<\/a> para executar sua carga \u00fatil, conforme mostrado na Figura 5.<\/p>\n<figure id=\"attachment_141831\" aria-describedby=\"caption-attachment-141831\" style=\"width: 800px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141831 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-659567-141786-5.png\" alt=\"Captura de tela do c\u00f3digo Python que define uma fun\u00e7\u00e3o \u2018fetch_symbols\u2019 que recupera s\u00edmbolos de a\u00e7\u00f5es do S&amp;P 500 usando uma chamada de API, lida com diferentes tipos de conte\u00fado e processa respostas com base em seu tipo de conte\u00fado. A \u00faltima linha tem uma se\u00e7\u00e3o destacada em uma caixa vermelha.\" width=\"800\" height=\"403\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-659567-141786-5.png 1508w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-659567-141786-5-786x396.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-659567-141786-5-1389x700.png 1389w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-659567-141786-5-768x387.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-141831\" class=\"wp-caption-text\">Figura 5. C\u00f3digo Python mostrando o ponto de entrada do malware Slow Pisces usando desserializa\u00e7\u00e3o YAML.<\/figcaption><\/figure>\n<p>Esse c\u00f3digo obt\u00e9m dados do servidor C2 via HTTPS e verifica o cabe\u00e7alho de resposta <span style=\"font-family: 'courier new', courier, monospace;\">Content-Type<\/span>. Se o cabe\u00e7alho indicar dados JSON (<span style=\"font-family: 'courier new', courier, monospace;\">application\/json<\/span>), o c\u00f3digo analisar\u00e1 e retornar\u00e1 o JSON para o aplicativo.<\/p>\n<p>Se a resposta indicar dados YAML (<span style=\"font-family: 'courier new', courier, monospace;\">application\/yaml<\/span>), o c\u00f3digo usar\u00e1 a fun\u00e7\u00e3o <span style=\"font-family: 'courier new', courier, monospace;\">yaml.load()<\/span> da biblioteca <a href=\"https:\/\/github.com\/yaml\/pyyaml\" target=\"_blank\" rel=\"noopener\">PyYAML<\/a> para analisar os dados. Essa fun\u00e7\u00e3o \u00e9 inerentemente insegura e a documenta\u00e7\u00e3o do PyYAML <a href=\"https:\/\/github.com\/yaml\/pyyaml\" target=\"_blank\" rel=\"noopener\">recomenda explicitamente<\/a> <span style=\"font-family: 'courier new', courier, monospace;\">yaml.safe_load()<\/span> para entrada n\u00e3o confi\u00e1vel.<\/p>\n<p>O YAML \u00e9 normalmente usado para arquivos de configura\u00e7\u00e3o, como o exemplo mostrado abaixo:<\/p>\n<pre class=\"lang:default decode:true\">username: slow\r\n\r\npassword: pisces\r\n\r\napi:\r\n\r\nkey: supersecret\r\n\r\nurl: example.com<\/pre>\n<p>No entanto, <span style=\"font-family: 'courier new', courier, monospace;\">yaml.load()<\/span> pode serializar e desserializar objetos Python arbitr\u00e1rios, n\u00e3o apenas dados YAML v\u00e1lidos. Por exemplo, o c\u00f3digo Python a seguir imprime os n\u00fameros de 0 a 4:<\/p>\n<pre class=\"lang:default decode:true\">range(0, 5)<\/pre>\n<p>Se esse c\u00f3digo fosse serializado usando <span style=\"font-family: 'courier new', courier, monospace;\">yaml.dump()<\/span>, ele se tornaria o seguinte:<\/p>\n<pre class=\"lang:default decode:true\">!!python\/object\/apply:builtins.range\r\n\r\n- 0\r\n\r\n- 5\r\n\r\n- 1<\/pre>\n<p>Por fim, quando esses dados forem passados para <span style=\"font-family: 'courier new', courier, monospace;\">yaml.load()<\/span> , ele executar\u00e1 o c\u00f3digo original: <span style=\"font-family: 'courier new', courier, monospace;\">range(0, 5)<\/span>.<\/p>\n<p>Isso destaca um ponto de detec\u00e7\u00e3o em potencial, pois os payloads para o reposit\u00f3rio Python e o malware que usa desserializa\u00e7\u00e3o YAML em geral cont\u00eam <span style=\"font-family: 'courier new', courier, monospace;\">!!python\/object\/apply:builtins<\/span> se a carga \u00fatil usar uma <a href=\"https:\/\/docs.python.org\/3\/library\/functions.html\" target=\"_blank\" rel=\"noopener\">fun\u00e7\u00e3o Python embutida<\/a>.<\/p>\n<p>Os seguintes est\u00e1gios da Tabela 1 existem primariamente na mem\u00f3ria e geralmente n\u00e3o deixam tra\u00e7os no disco. Para ajudar a comunidade na detec\u00e7\u00e3o e conscientiza\u00e7\u00e3o, fizemos o upload desses payloads para o VirusTotal. O payload de desserializa\u00e7\u00e3o YAML executa o malware que chamamos de RN Loader e RN Stealer com base no formato de token C2 que observamos no RN Stealer, que discutiremos nas se\u00e7\u00f5es a seguir.<\/p>\n<table style=\"width: 80.9307%;\">\n<tbody>\n<tr>\n<td style=\"text-align: center; width: 32.5314%;\"><b>Est\u00e1gio<\/b><\/td>\n<td style=\"text-align: center; width: 85.2035%;\"><b>Hash SHA256<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 32.5314%;\"><span style=\"font-weight: 400;\">Payload de desserializa\u00e7\u00e3o YAML<\/span><\/td>\n<td style=\"width: 85.2035%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 32.5314%;\"><span style=\"font-weight: 400;\">RN Loader<\/span><\/td>\n<td style=\"width: 85.2035%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">937c533bddb8bbcd908b62f2bf48e5bc11160505df20fea91d9600d999eafa79<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 32.5314%;\"><span style=\"font-weight: 400;\">RN Stealer<\/span><\/td>\n<td style=\"width: 85.2035%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">e89bf606fbed8f68127934758726bbb5e68e751427f3bcad3ddf883cb2b50fc7<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 11pt;\">Tabela 1. Payloads do reposit\u00f3rio Python. <\/span><br \/>\nO payload de desserializa\u00e7\u00e3o YAML do Slow Pisces come\u00e7a criando a pasta <span style=\"font-family: 'courier new', courier, monospace;\">Public<\/span> no diret\u00f3rio pessoal da v\u00edtima e criando um novo arquivo nesse diret\u00f3rio chamado <span style=\"font-family: 'courier new', courier, monospace;\">__init__.py.<\/span> Os dados Base64 incorporados s\u00e3o decodificados e escritos nesse arquivo, contendo o pr\u00f3ximo est\u00e1gio de infec\u00e7\u00e3o (RN Loader), que \u00e9 ent\u00e3o executado.<\/p>\n<h4><strong>RN Loader<\/strong><\/h4>\n<p>Esse arquivo rec\u00e9m-criado para o RN Loader em <span style=\"font-family: 'courier new', courier, monospace;\">~\/Public\/__init__.py<\/span> se exclui ap\u00f3s a execu\u00e7\u00e3o, garantindo que ele exista somente na mem\u00f3ria. Ele envia informa\u00e7\u00f5es b\u00e1sicas sobre o computador e o sistema operacional da v\u00edtima por HTTPS para o mesmo C2 em <span style=\"font-family: 'courier new', courier, monospace;\">en.stockslab[.]org<\/span>, seguido por um loop de comando com as seguintes op\u00e7\u00f5es na Tabela 2.<\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><b>C\u00f3digo<\/b><\/td>\n<td style=\"text-align: center;\"><b>Descri\u00e7\u00e3o<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><span style=\"font-weight: 400;\">0<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Dormir (Sleep) por 20 segundos<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><span style=\"font-weight: 400;\">1<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Decodifica em base64 o conte\u00fado enviado e o salva no arquivo <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">init.dll<\/span><span style=\"font-weight: 400;\"> para Windows ou <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">init<\/span><span style=\"font-weight: 400;\"> para todos os outros sistemas operacionais.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Define uma vari\u00e1vel de ambiente <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">X_DATABASE_NAME<\/span><span style=\"font-weight: 400;\"> como uma cadeia de caracteres (string) vazia.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Carrega e executa a DLL baixada usando <\/span><a href=\"https:\/\/docs.python.org\/3\/library\/ctypes.html#ctypes.CDLL\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\"><span style=\"font-family: 'courier new', courier, monospace;\">ctypes.cdll.LoadLibrary<\/span><\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><span style=\"font-weight: 400;\">2<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Decodifica em base64 o conte\u00fado enviado e o executa usando o <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">exec<\/span><span style=\"font-weight: 400;\"> incorporado ao Python.<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><span style=\"font-weight: 400;\">3<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Decodifica em base64 o conte\u00fado enviado e um par\u00e2metro. O conte\u00fado \u00e9 salvo no arquivo <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">dockerd<\/span><span style=\"font-weight: 400;\">, enquanto o par\u00e2metro \u00e9 salvo como <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">docker-init<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">O <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">dockerd<\/span><span style=\"font-weight: 400;\"> \u00e9 ent\u00e3o executado em um novo processo, com o <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">docker-init<\/span><span style=\"font-weight: 400;\"> fornecido como argumento de linha de comando.<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><span style=\"font-weight: 400;\">9<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Termina a execu\u00e7\u00e3o.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 11pt;\">Tabela 2. Tabela de comandos do RN Loader. <\/span><\/p>\n<p>Os payloads do loop de comando da Tabela 2 usando as op\u00e7\u00f5es <strong>1<\/strong> e <strong>3<\/strong> s\u00e3o atualmente desconhecidos e provavelmente s\u00e3o acionados por condi\u00e7\u00f5es espec\u00edficas. No entanto, recuperamos um infostealer baseado em Python fornecido pela op\u00e7\u00e3o <strong>2<\/strong>, e rastreamos esse malware como RN Stealer.<\/p>\n<h4><strong>RN Stealer<\/strong><\/h4>\n<p>O RN Stealer primeiro gera um ID de v\u00edtima aleat\u00f3rio, usado posteriormente como um cookie em todas as comunica\u00e7\u00f5es com o servidor C2. Em seguida, ele solicita uma chave XOR do servidor para encriptar os dados exfiltrados.<\/p>\n<p>A comunica\u00e7\u00e3o com o servidor C2 ocorre por HTTPS, usando tokens codificados em Base64 para identificar os tipos de solicita\u00e7\u00e3o e resposta. O payload analisado inclui quatro tipos de token:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">R0<\/span> - solicitando a chave XOR<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">R64<\/span> - exfiltrando dados<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">R128<\/span> - exfiltrando dados compactados<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">R256<\/span> - infostealer completo<\/li>\n<\/ul>\n<p>O formato desses tipos de token (a letra <span style=\"font-family: 'courier new', courier, monospace;\">R<\/span> seguida de um n\u00famero inteiro <span style=\"font-family: 'courier new', courier, monospace;\">N<\/span>) levou a nossos nomes para esse payload. Chamamos o payload de RN Stealer e o est\u00e1gio anterior de RN Loader.<\/p>\n<p>Recuperamos o script para essa amostra do RN Stealer de um sistema macOS. Dessa forma, os autores da amea\u00e7a adaptaram essa amostra para roubar informa\u00e7\u00f5es espec\u00edficas de dispositivos macOS, incluindo:<\/p>\n<ul>\n<li>Informa\u00e7\u00f5es b\u00e1sicas sobre a v\u00edtima: nome de usu\u00e1rio, nome da m\u00e1quina e arquitetura<\/li>\n<li>Aplicativos instalados<\/li>\n<li>Uma lista de diret\u00f3rios e o conte\u00fado de n\u00edvel superior do diret\u00f3rio inicial da v\u00edtima<\/li>\n<li>O arquivo <span style=\"font-family: 'courier new', courier, monospace;\">login.keychain-db,<\/span> que armazena as credenciais salvas em sistemas macOS<\/li>\n<li>Chaves SSH armazenadas<\/li>\n<li>Arquivos de configura\u00e7\u00e3o para AWS, Kubernetes e Google Cloud<\/li>\n<\/ul>\n<p>Os dados coletados pelo RN Stealer provavelmente determinam se acesso persistente \u00e9 necess\u00e1rio. Em caso afirmativo, podemos inferir as seguintes etapas para essa cadeia de infec\u00e7\u00e3o do Python:<\/p>\n<ol>\n<li>O servidor C2 verifica v\u00edtimas que estejam enviando sinais (beaconing) com rela\u00e7\u00e3o a um conjunto desconhecido de crit\u00e9rios. As v\u00edtimas v\u00e1lidas recebem um payload de desserializa\u00e7\u00e3o YAML. V\u00edtimas inv\u00e1lidas recebem dados JSON benignos.<\/li>\n<li>O payload de desserializa\u00e7\u00e3o estabelece um loop de comando com o servidor C2, exfiltrando informa\u00e7\u00f5es b\u00e1sicas da v\u00edtima e fornecendo um infostealer Python personalizado por meio do c\u00f3digo de op\u00e7\u00e3o <strong>2<\/strong> na Tabela 2.<\/li>\n<li>O infostealer re\u00fane informa\u00e7\u00f5es mais detalhadas sobre a v\u00edtima, que os atacantes provavelmente usaram para determinar se precisavam de acesso cont\u00ednuo.\n<ol>\n<li>Se o acesso cont\u00ednuo for necess\u00e1rio, o servidor C2 entrega um payload por meio dos c\u00f3digos de op\u00e7\u00e3o <strong>1 <\/strong>ou <strong>3<\/strong>.<\/li>\n<li>Se o acesso n\u00e3o for mais necess\u00e1rio, o c\u00f3digo de op\u00e7\u00e3o <strong>9<\/strong> encerra a execu\u00e7\u00e3o do malware, removendo todo o acesso, j\u00e1 que o payloadreside apenas na mem\u00f3ria.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><strong>Est\u00e1gio 3b - Reposit\u00f3rio JavaScript<\/strong><\/h3>\n<p>Se as v\u00edtimas se candidatassem a uma fun\u00e7\u00e3o JavaScript, elas poderiam por sua vez encontrar um projeto \"Cryptocurrency Dashboard\", semelhante ao exemplo da Figura 6 abaixo.<\/p>\n<figure id=\"attachment_141842\" aria-describedby=\"caption-attachment-141842\" style=\"width: 800px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141842 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-662207-141786-6.png\" alt=\"Captura de tela de um reposit\u00f3rio do GitHub chamado \u201cCryptocurrency Dashboard\u201d, com um arquivo README.md exibido. Esse README inclui as se\u00e7\u00f5es: Recursos, Instala\u00e7\u00e3o, Uso, Estrutura do projeto, Configura\u00e7\u00e3o, Depend\u00eancias e Licen\u00e7a. Ele descreve o projeto como um aplicativo criado com Node.js, Express e EJS que exibe dados hist\u00f3ricos e em tempo real de v\u00e1rias criptomoedas.\" width=\"800\" height=\"462\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-662207-141786-6.png 1764w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-662207-141786-6-762x440.png 762w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-662207-141786-6-1213x700.png 1213w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-662207-141786-6-768x443.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-662207-141786-6-1536x886.png 1536w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-141842\" class=\"wp-caption-text\">Figura 6. Reposit\u00f3rio JavaScript.<\/figcaption><\/figure>\n<p>Esse aplicativo cont\u00e9m um arquivo <span style=\"font-family: 'courier new', courier, monospace;\">.env<\/span> com o C2 e um datasource leg\u00edtimo:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">PORT=3000<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">COINGECKO_API_URL=hxxps:\/\/api.coingecko[.]com\/api\/v3<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">JQUERY_API_URL=hxxps:\/\/update.jquerycloud[.]io\/api\/v1<\/span><\/li>\n<\/ul>\n<p>O valor <span style=\"font-family: 'courier new', courier, monospace;\">COINGECKO_API_URL<\/span> \u00e9 usado para buscar dados para o Cryptocurrency Dashboard, enquanto o valor <span style=\"font-family: 'courier new', courier, monospace;\">JQUERY_API_URL<\/span> representa um servidor C2 controlado pelo Slow Pisces. Semelhante ao reposit\u00f3rio Python, o servidor JavaScript C2 fornece payloads apenas para alvos validados; caso contr\u00e1rio, ele responde com um n\u00famero de vers\u00e3o.<\/p>\n<p>O reposit\u00f3rio usa a ferramenta de modelagem <a href=\"https:\/\/ejs.co\/\" target=\"_blank\" rel=\"noopener\">Embedded JavaScript (EJS)<\/a>, passando as respostas do servidor C2 para a fun\u00e7\u00e3o <span style=\"font-family: 'courier new', courier, monospace;\">ejs.render()<\/span>, mostrada abaixo na Figura 7.<\/p>\n<figure id=\"attachment_141853\" aria-describedby=\"caption-attachment-141853\" style=\"width: 700px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141853 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-664967-141786-7.png\" alt=\"Captura de tela mostrando um trecho de c\u00f3digo em JavaScript. Ele inclui um coment\u00e1rio e uma chamada de fun\u00e7\u00e3o para renderizar uma p\u00e1gina inicial com configura\u00e7\u00f5es e itens por p\u00e1gina. res.render est\u00e1 destacado em uma caixa vermelha.\" width=\"700\" height=\"294\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-664967-141786-7.png 1116w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-664967-141786-7-786x330.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-664967-141786-7-768x322.png 768w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-141853\" class=\"wp-caption-text\">Figura 7. C\u00f3digo JavaScript mostrando o ponto de entrada do malware Slow Pisces usando a fun\u00e7\u00e3o de renderiza\u00e7\u00e3o EJS.<\/figcaption><\/figure>\n<p>Assim como o uso de <span style=\"font-family: 'courier new', courier, monospace;\">yaml.load()<\/span>, essa \u00e9 outra t\u00e9cnica que o Slow Pisces utiliza para ocultar a execu\u00e7\u00e3o de c\u00f3digo arbitr\u00e1rio de seus servidores C2, e esse m\u00e9todo talvez s\u00f3 seja aparente ao visualizar um payload v\u00e1lido.<\/p>\n<p>A fun\u00e7\u00e3o de renderiza\u00e7\u00e3o EJS aceita v\u00e1rios par\u00e2metros, um dos quais \u00e9 chamado de <span style=\"font-family: 'courier new', courier, monospace;\">view options<\/span>. Dentro disso, um c\u00f3digo JavaScript arbitr\u00e1rio pode ser fornecido e executado por meio da chave <span style=\"font-family: 'courier new', courier, monospace;\">escapeFunction<\/span>.<\/p>\n<p>Um pesquisador de Taiwan, conhecido como Huli, discutiu os detalhes t\u00e9cnicos de como isso resulta em execu\u00e7\u00e3o arbitr\u00e1ria de c\u00f3digo <a href=\"https:\/\/blog.huli.tw\/2023\/06\/22\/en\/ejs-render-vulnerability-ctf\/\" target=\"_blank\" rel=\"noopener\">em um post de um CTF<\/a>. No entanto, podemos entender suficientemente que um payload estruturado conforme mostrado na Figura 8 resultar\u00e1 na execu\u00e7\u00e3o do c\u00f3digo contido em <span style=\"font-family: 'courier new', courier, monospace;\">escapeFunction<\/span> quando passado para <span style=\"font-family: 'courier new', courier, monospace;\">ejs.render()<\/span>.<\/p>\n<figure id=\"attachment_141864\" aria-describedby=\"caption-attachment-141864\" style=\"width: 700px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141864 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-667099-141786-8.png\" alt=\"Captura de tela de um trecho de c\u00f3digo JavaScript envolvendo fun\u00e7\u00f5es com \u201cescapeFunction\u201d destacado em uma caixa vermelha.\" width=\"700\" height=\"593\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-667099-141786-8.png 1234w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-667099-141786-8-519x440.png 519w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-667099-141786-8-826x700.png 826w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-667099-141786-8-768x651.png 768w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-141864\" class=\"wp-caption-text\">Figura 8. Carga parcial de renderiza\u00e7\u00e3o EJS.<\/figcaption><\/figure>\n<p>Infelizmente, n\u00e3o conseguimos recuperar a parte total desse payload. Dessa forma, podemos apenas supor que um novo diret\u00f3rio <span style=\"font-family: 'courier new', courier, monospace;\">.jql<\/span> \u00e9 criado no diret\u00f3rio inicial do usu\u00e1rio, onde um arquivo chamado <span style=\"font-family: 'courier new', courier, monospace;\">helper.js<\/span> \u00e9 baixado (dropped), contendo dados codificados em Base64.<\/p>\n<h3><strong>Infraestrutura<\/strong><\/h3>\n<p>A linha do tempo abaixo, na Figura 9, detalha a infraestrutura de C2 usada nessa campanha de fevereiro de 2024 a fevereiro de 2025, agrupada pelo tipo de reposit\u00f3rio servido (JavaScript ou Python).<\/p>\n<figure id=\"attachment_141875\" aria-describedby=\"caption-attachment-141875\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-141875 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-669572-141786-9.png\" alt=\"Linha do tempo da infraestrutura que rastreia o comando e os controles JavaScript (parte superior, r\u00f3tulo amarelo) e o comando e os controles Python (parte inferior, r\u00f3tulo laranja). A linha do tempo come\u00e7a no final do primeiro trimestre de 2024 e continua at\u00e9 o segundo trimestre de 2025.\" width=\"1000\" height=\"906\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-669572-141786-9.png 1338w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-669572-141786-9-486x440.png 486w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-669572-141786-9-773x700.png 773w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/05\/word-image-669572-141786-9-768x696.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-141875\" class=\"wp-caption-text\">Figura 9. Linha do tempo da infraestrutura C2.<\/figcaption><\/figure>\n<p>Como mencionado anteriormente, os dom\u00ednios na infraestrutura desta campanha podem imitar o formato das fontes leg\u00edtimas usadas junto com eles, frequentemente usando subdom\u00ednios como <span style=\"font-family: 'courier new', courier, monospace;\">.api<\/span> ou <span style=\"font-family: 'courier new', courier, monospace;\">.cdn<\/span>. At\u00e9 o momento da publica\u00e7\u00e3o deste artigo, descobrimos a infraestrutura associada a essa campanha.<\/p>\n<h2><strong>Conclus\u00e3o<\/strong><\/h2>\n<p>Este relat\u00f3rio abordou a campanha mais recente do Slow Pisces, que se fez passar por recrutadores no LinkedIn para atingir desenvolvedores do setor de criptomoedas com desafios de programa\u00e7\u00e3o maliciosos. Embora n\u00e3o tenhamos conseguido recuperar a cadeia de ataque completa para os reposit\u00f3rios JavaScript, a vers\u00e3o Python da campanha forneceu dois novos payloads que chamamos de RN Loader e RN Stealer.<\/p>\n<p>O uso do LinkedIn e do GitHub dessa maneira n\u00e3o \u00e9 exclusivo. V\u00e1rios grupos afiliados \u00e0 RPDC usaram t\u00e1ticas semelhantes, como <a href=\"https:\/\/www.reversinglabs.com\/blog\/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages\" target=\"_blank\" rel=\"noopener\">Alluring Pisces<\/a> e <a href=\"https:\/\/unit42.paloaltonetworks.com\/two-campaigns-by-north-korea-bad-actors-target-job-hunters\/\" target=\"_blank\" rel=\"noopener\">Contagious Interview<\/a>.<\/p>\n<p>Esses grupos n\u00e3o apresentam sobreposi\u00e7\u00f5es operacionais. No entanto, \u00e9 digno de nota o fato de essas campanhas usarem vetores de infec\u00e7\u00e3o inicial semelhantes.<\/p>\n<p>O Slow Pisces se destaca das campanhas de seus pares em seguran\u00e7a operacional. A entrega de payloads em cada est\u00e1gio \u00e9 fortemente protegida, existindo apenas na mem\u00f3ria. E o ferramental de est\u00e1gio posterior do grupo s\u00f3 \u00e9 implantado quando necess\u00e1rio.<\/p>\n<p>Em particular, o grupo fez uso de duas t\u00e9cnicas para ocultar a funcionalidade:<\/p>\n<ul>\n<li>Desserializa\u00e7\u00e3o de YAML<\/li>\n<li>EJS <span style=\"font-family: 'courier new', courier, monospace;\">escapeFunction<\/span><\/li>\n<\/ul>\n<p>Essas duas t\u00e9cnicas dificultam muito a an\u00e1lise, a detec\u00e7\u00e3o e a ca\u00e7a de amea\u00e7as. Da mesma forma, desenvolvedores relativamente novos ou inexperientes no setor de criptomoedas teriam dificuldade em identificar esses reposit\u00f3rios como maliciosos.<\/p>\n<p>Com base em relat\u00f3rios p\u00fablicos de roubos de criptomoedas, essa campanha parece ser altamente bem-sucedida e provavelmente persistir\u00e1 em 2025. Embora este artigo tenha destacado duas poss\u00edveis oportunidades de detec\u00e7\u00e3o para desserializa\u00e7\u00e3o de YAML e payloads de EJS <span style=\"font-family: 'courier new', courier, monospace;\">escapeFunction<\/span>, a mitiga\u00e7\u00e3o mais eficaz continua sendo a segrega\u00e7\u00e3o rigorosa de dispositivos corporativos e pessoais. Isso ajuda a evitar o comprometimento de sistemas corporativos por campanhas de engenharia social direcionadas.<\/p>\n<h3><strong>Prote\u00e7\u00e3o e mitiga\u00e7\u00e3o da Palo Alto Networks<\/strong><\/h3>\n<p>Os clientes da Palo Alto Networks est\u00e3o mais bem protegidos contra as amea\u00e7as discutidas acima por meio dos seguintes produtos:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-url-filtering\/administration\" target=\"_blank\" rel=\"noopener\">Advanced URL Filtering<\/a> e <a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\">Advanced DNS Security<\/a>.<\/li>\n<\/ul>\n<p>Se voc\u00ea acha que pode ter sido comprometido ou tem um assunto urgente, entre em contato com a<a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\"> equipe de resposta a incidentes da Unit 42<\/a> ou ligue para:.<\/p>\n<ul>\n<li>Am\u00e9rica do Norte: liga\u00e7\u00e3o gratuita: +1 (866) 486-4842 (866.4.UNIT42)<\/li>\n<li>Reino Unido: +44.20.3743.3660<\/li>\n<li>Europa e Oriente M\u00e9dio: +31.20.299.3130<\/li>\n<li>\u00c1sia: +65.6983.8730<\/li>\n<li>Jap\u00e3o: +81.50.1790.0200<\/li>\n<li>Austr\u00e1lia: +61.2.4062.7950<\/li>\n<li>\u00cdndia: 00080005045107<\/li>\n<\/ul>\n<p>A Palo Alto Networks compartilhou essas descobertas com nossos colegas membros da Cyber Threat Alliance (CTA). Os membros da CTA usam essa intelig\u00eancia para implantar rapidamente prote\u00e7\u00f5es para seus clientes e para interromper sistematicamente os atores cibern\u00e9ticos mal-intencionados. Saiba mais sobre a <a href=\"https:\/\/www.cyberthreatalliance.org\" target=\"_blank\" rel=\"noopener\">Cyber Threat Alliance<\/a>.<\/p>\n<h2><strong>Indicadores de comprometimento<\/strong><\/h2>\n<table style=\"width: 94.6616%; height: 698px;\">\n<tbody>\n<tr style=\"height: 24px;\">\n<td style=\"text-align: center; width: 28.614%; height: 24px;\"><b>Dom\u00ednio<\/b><\/td>\n<td style=\"text-align: center; width: 19.1704%; height: 24px;\"><b>Endere\u00e7o IP<\/b><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 24px;\"><b>Visto pela primeira vez<\/b><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 24px;\"><b>Visto pela \u00faltima vez<\/b><\/td>\n<td style=\"text-align: center; width: 74.6076%; height: 24px;\"><b>Reposit\u00f3rio<\/b><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">getstockprice[.]com<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">70.34.245[.]118<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2025-02-03<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2025-02-20<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cdn[.]clubinfo[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">5.206.227[.]51<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2025-01-21<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2025-02-19<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 28.614%; height: 24px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">getstockprice[.]info<\/span><\/td>\n<td style=\"width: 19.1704%; height: 24px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">131.226.2[.]120<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 24px;\"><span style=\"font-weight: 400;\">2025-01-21<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 24px;\"><span style=\"font-weight: 400;\">2025-01-23<\/span><\/td>\n<td style=\"width: 74.6076%; height: 24px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">api[.]stockinfo[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">136.244.93[.]248<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-10-30<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-11-11<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cdn[.]logoeye[.]net<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">54.39.83[.]151<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-10-29<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-11-03<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">en[.]wfinance[.]org<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">195.133.26[.]32<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-10-12<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-11-01<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">en[.]stocksindex[.]org<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">185.236.231[.]224<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-09-11<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-10-04<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cdn[.]jqueryversion[.]net<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">194.11.226[.]16<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-08-23<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-09-23<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">JavaScript<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">en[.]stockslab[.]org<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">91.103.140[.]191<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-08-19<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-09-12<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">update[.]jquerycloud[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">192.236.199[.]57<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-07-03<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-08-22<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">JavaScript<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cdn[.]soccerlab[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">146.70.124[.]70<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-08-07<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-08-21<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">api[.]coinpricehub[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">45.141.58[.]40<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-05-06<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-08-06<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Java<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cdn[.]leaguehub[.]net<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">5.133.9[.]252<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-07-15<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-07-21<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cdn[.]clublogos[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">146.19.173[.]29<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-06-24<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-07-12<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">api[.]jquery-release[.]com<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">146.70.125[.]120<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-06-10<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-06-28<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">JavaScript<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cdn[.]logosports[.]net<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">185.62.58[.]74<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-05-08<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-06-23<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">skypredict[.]org<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">80.82.77[.]80<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-05-06<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-06-16<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">JavaScript<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">api[.]bitzone[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">192.248.145[.]210<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-04-25<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-05-13<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">weatherdatahub[.]org<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">194.15.112[.]200<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-04-05<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-05-03<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">JavaScript<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">api[.]ethzone[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">91.234.199[.]90<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-04-16<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-04-24<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">api[.]fivebit[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">185.216.144[.]41<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-04-08<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-04-14<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">blockprices[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">91.193.18[.]201<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-03-15<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-04-09<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">JavaScript<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">api[.]coinhar[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">185.62.58[.]122<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-03-26<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-04-09<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">mavenradar[.]com<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">23.254.230[.]253<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-02-21<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-03-26<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">JavaScript<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">indobit[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">146.70.88[.]126<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-03-19<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-03-20<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">api[.]thaibit[.]io<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">79.137.248[.]193<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-03-07<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-03-09<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">Python<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"width: 28.614%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">chainanalyser[.]com<\/span><\/td>\n<td style=\"width: 19.1704%; height: 25px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">38.180.62[.]135<\/span><\/td>\n<td style=\"text-align: center; width: 20.1111%; height: 25px;\"><span style=\"font-weight: 400;\">2024-02-23<\/span><\/td>\n<td style=\"text-align: center; width: 16.817%; height: 25px;\"><span style=\"font-weight: 400;\">2024-03-06<\/span><\/td>\n<td style=\"width: 74.6076%; height: 25px;\"><span style=\"font-weight: 400;\">JavaScript<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><strong>Recursos adicionais<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250226\" target=\"_blank\" rel=\"noopener\">North Korea Responsible for $1.5 Billion Bybit Hack<\/a> \u2013 Internet Crime Complaint Center (IC3)<\/li>\n<li><a href=\"https:\/\/www.fbi.gov\/news\/press-releases\/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom\" target=\"_blank\" rel=\"noopener\">FBI, DC3, and NPA Identification of North Korean Cyber Actors, Tracked as TraderTraitor, Responsible for Theft of $308 Million USD from Bitcoin.DMM.com<\/a> \u2013 FBI<\/li>\n<li><a href=\"https:\/\/github.blog\/security\/vulnerability-research\/security-alert-social-engineering-campaign-targets-technology-industry-employees\/\" target=\"_blank\" rel=\"noopener\">Security alert: social engineering campaign targets technology industry employees<\/a> \u2013 GitHub Blog<\/li>\n<li><a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/north-korea-supply-chain\" target=\"_blank\" rel=\"noopener\">North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack<\/a> \u2013 Mandiant, Google Cloud<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos.<\/p>\n","protected":false},"author":366,"featured_media":138789,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8737,8827,8791],"tags":[8894,8885,8895,8896,8897,8898,8886],"product_categories":[8892,8893,8888],"coauthors":[8711],"class_list":["post-141786","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybercrime-pt-br","category-threat-actor-groups-pt-br","category-malware-pt-br","tag-cryptocurrency-pt-br","tag-dprk-pt-br","tag-github-pt-br","tag-infostealer-pt-br","tag-javascript-malware-pt-br","tag-slow-pisces-pt-br","tag-social-engineering-pt-br","product_categories-advanced-dns-security-pt-br","product_categories-cloud-delivered-security-services-pt-br","product_categories-unit-42-incident-response-pt-br"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Slow Pisces mira desenvolvedores com desafios de programa\u00e7\u00e3o e introduz um novo malware em linguagem Python personalizado<\/title>\n<meta name=\"description\" content=\"O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos. O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Slow Pisces mira desenvolvedores com desafios de programa\u00e7\u00e3o e introduz um novo malware em linguagem Python personalizado\" \/>\n<meta property=\"og:description\" content=\"O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos. O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-14T21:13:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-19T18:04:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/03\/Pisces-NK-A-1920x900-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Prashil Pattni\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Slow Pisces mira desenvolvedores com desafios de programa\u00e7\u00e3o e introduz um novo malware em linguagem Python personalizado","description":"O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos. O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/","og_locale":"pt_BR","og_type":"article","og_title":"Slow Pisces mira desenvolvedores com desafios de programa\u00e7\u00e3o e introduz um novo malware em linguagem Python personalizado","og_description":"O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos. O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos.","og_url":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/","og_site_name":"Unit 42","article_published_time":"2025-04-14T21:13:41+00:00","article_modified_time":"2025-06-19T18:04:31+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/03\/Pisces-NK-A-1920x900-1.png","type":"image\/png"}],"author":"Prashil Pattni","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/#article","isPartOf":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/"},"author":{"name":"Sheida Azimi","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639"},"headline":"Slow Pisces mira desenvolvedores com desafios de programa\u00e7\u00e3o e introduz um novo malware em linguagem Python personalizado","datePublished":"2025-04-14T21:13:41+00:00","dateModified":"2025-06-19T18:04:31+00:00","mainEntityOfPage":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/"},"wordCount":3532,"commentCount":0,"image":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/03\/Pisces-NK-A-1920x900-1.png","keywords":["Cryptocurrency","DPRK","GitHub","Infostealer","JavaScript Malware","Slow Pisces","social engineering"],"articleSection":["Crime cibern\u00e9tico","Grupos de hackers","Malware"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/","url":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/","name":"Slow Pisces mira desenvolvedores com desafios de programa\u00e7\u00e3o e introduz um novo malware em linguagem Python personalizado","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/#primaryimage"},"image":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/03\/Pisces-NK-A-1920x900-1.png","datePublished":"2025-04-14T21:13:41+00:00","dateModified":"2025-06-19T18:04:31+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639"},"description":"O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos. O grupo norte-coreano patrocinado pelo estado Slow Pisces (Jade Sleet) visou os desenvolvedores de criptografia com uma campanha de engenharia social que inclu\u00eda desafios de programa\u00e7\u00e3o maliciosos.","breadcrumb":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/#primaryimage","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/03\/Pisces-NK-A-1920x900-1.png","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/03\/Pisces-NK-A-1920x900-1.png","width":1920,"height":900,"caption":"Pictorial representation of APT Slow Pisces. The silhouette of two fish and the Pisces constellation inside an orange abstract planet. Background of stars and swirling purple and blue colors."},{"@type":"BreadcrumbList","@id":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/slow-pisces-new-custom-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/"},{"@type":"ListItem","position":2,"name":"Slow Pisces mira desenvolvedores com desafios de programa\u00e7\u00e3o e introduz um novo malware em linguagem Python personalizado"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7ee97ec6f224446d57c0383eb5fd3639","name":"Sheida Azimi","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/9213e49ea48b7676660bac40d05c9e3e","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Sheida Azimi"},"url":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/author\/sheida-azimi\/"}]}},"_links":{"self":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/posts\/141786","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/users\/366"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/comments?post=141786"}],"version-history":[{"count":6,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/posts\/141786\/revisions"}],"predecessor-version":[{"id":141958,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/posts\/141786\/revisions\/141958"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/media\/138789"}],"wp:attachment":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/media?parent=141786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/categories?post=141786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/tags?post=141786"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/product_categories?post=141786"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/coauthors?post=141786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}