Attention all crypto enthusiasts! Beware of North Korea’s latest attempt to steal your precious digital assets. A new info-stealing malware, aptly named “PylangGhost,” has been targeting job seekers in the crypto industry.
Cisco Talos recently discovered this Python-based remote access trojan (RAT), which they’ve linked to the infamous North Korean-affiliated hacking group, “Famous Chollima,” also known as “Wagemole.”
“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies.”
Fake job sites and tests a cover for malware
The attackers create fraudulent job sites that impersonate legitimate companies, such as Coinbase, Robinhood, and Uniswap. Victims are guided through a multi-step process that includes initial contact from fake recruiters who send invites to skill-testing websites where the information gathering occurs.
Next, the victims are lured into enabling video and camera access for fake interviews during which they are tricked into copying and executing malicious commands under the pretense of installing updated video drivers, resulting in the compromise of their device.
Payload targets crypto wallets
PylangGhost is a variant of the previously documented GolangGhost RAT, and shares similar functionality, Cisco Talos said.
Upon execution, the commands enable remote control of the infected system and the theft of cookies and credentials from over 80 browser extensions, it reported. These include password managers and cryptocurrency wallets, including MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.
Multitasking malware
The malware can carry out other tasks and execute numerous commands, including taking screenshots, managing files, stealing browser data, collecting system information, and maintaining remote access to infected systems.
The researchers also noted that it was unlikely that the threat actors used an artificial intelligence large language model to help write the code, based on the comments made within it.
Fake job lures not new
It is not the first time North Korean-linked hackers have used fake jobs and interviews to lure their victims. In April, hackers linked to the $1.4 billion Bybit heist were targeting crypto developers using fake recruitment tests infected with malware.
Read More
- We Loved Both of These Classic Sci-Fi Films (But They’re Pretty Much the Same Movie)
- Masters Toronto 2025: Everything You Need to Know
- Street Fighter 6 Game-Key Card on Switch 2 is Considered to be a Digital Copy by Capcom
- The Lowdown on Labubu: What to Know About the Viral Toy
- ‘The budget card to beat right now’ — Radeon RX 9060 XT reviews are in, and it looks like a win for AMD
- Mario Kart World Sold More Than 780,000 Physical Copies in Japan in First Three Days
- Valorant Champions 2025: Paris Set to Host Esports’ Premier Event Across Two Iconic Venues
- Microsoft Has Essentially Cancelled Development of its Own Xbox Handheld – Rumour
- Gold Rate Forecast
- Forza Horizon 5 Update Available Now, Includes Several PS5-Specific Fixes
2025-06-20 07:08