A North Korean state-sponsored threat group known as Jumpy Pisces (also called Andariel and APT45) has recently collaborated with the Play ransomware group, marking their first known partnership in deploying ransomware for financial gain. The activity, observed from May to September 2024, involved the use of a compromised user account to gain network access, followed by actions like credential harvesting and disabling endpoint detection to facilitate the ransomware attack. Jumpy Pisces, linked to North Korea’s Reconnaissance General Bureau, has previously deployed other ransomware strains, but this collaboration suggests an evolving strategy to generate revenue amidst economic sanctions. While Play has impacted around 300 organizations, it denies operating as a ransomware-as-a-service, hinting that Jumpy Pisces may have acted as an initial access broker instead.