A North Korean-backed hacking group dubbed Jumpy Pisces has teamed up with a prominent ransomware collective, according to threat research out last week from Palo Alto Networks.
The report indicates that a recent ransomware incident revealed an unusual alliance between North Korean hackers and the infamous Play ransomware gang. However, the specifics of the attack and the methods Palo Alto’s Unit 42 threat intelligence team used to confirm the collaboration were not fully disclosed.
The DPRK operatives are believed to be linked to the regime’s Reconnaissance General Bureau. This collaboration—the first observed of its kind—suggests North Korea may be shifting its focus from standard espionage and financial theft to more advanced ransomware attacks.
While Pyongyang has previously relied on ransomware and cryptocurrency theft to fund its military, partnering with an independent criminal group like Play marks a significant shift. This alliance suggests an expansion in North Korea’s hacking strategy, one that could see the regime’s operatives potentially targeting a broader range of victims.
Unit 42 assessed the collaboration with “moderate confidence,” citing key indicators such as the reuse of a compromised account. This account, initially accessed by Jumpy Pisces in an unnamed organization, was later used by Play to launch ransomware.
Play is known in the global cybercriminal community for high-profile ransomware attacks, where hackers hold sensitive organizational data hostage in exchange for ransom. Among its more noteworthy criminal acts, the group has targeted Argentina’s judiciary and Swiss media outlets, causing disruptions that resulted in significant financial consequences for both these victims.
North Korean involvement was uncovered during an incident response engagement in early September. Unit 42’s investigation revealed that DPRK’s Jumpy Pisces initially breached the organization’s network in May.
The report states that the attack began when Jumpy Pisces accessed the victim’s network through a compromised user account. The group then moved undetected across the network for months, using advanced tools to maintain control, steal data, and escalate privileges.
After breaching the network, Jumpy Pisces spread through the systems using custom malware known as DTrack. This malware is designed to covertly steal device information, disguising stolen data as GIF files to avoid detection. In early September, the group transferred control to Play, which then deployed ransomware that crippled the network.
The full extent of this new relationship remains unclear. Play typically operates as a closed group and claims not to be a Ransomware-as-a-Service provider, where affiliates purchase access to ransomware tools. The findings indicate that this new alliance “will increasingly target a wide range of victims globally.”
“It remains unclear whether Jumpy Pisces has officially become an affiliate of the Play ransomware group or if they acted as an Initial Access Broker (IAB) by selling network access to Play ransomware actors,” the report states. IABs sell their digital entry techniques to hackers on underground discussion forums.
Pyongyang’s digital army stands apart from other nation-states because its cyber operations primarily focus on financial gain rather than high-profile hacks intended to influence global political discourse. The North has deployed covert operatives worldwide, posing as legitimate technology workers to infiltrate companies and execute long-term schemes that fund the DPRK’s weapons research.
Related article: New malware allows North Korea to deploy fake recruitment schemes, research says
Programming interviews for software development roles are a common practice in the tech industry. However, it is rare for these interviews to involve code designed to secretly steal sensitive data from job candidates’ computers.
“He wanted me to open up a full stack application and explain the code. I did, but I ran it in a [virtual machine] (because you should NEVER run random code that you do not understand from a suspicious party), and he was not happy,” said Richard Chang, a software engineer, posting on LinkedIn, sharing his experience with what turned out to be a fake recruiter. READ MORE