20-6-2025 – A North Korean-affiliated hacking syndicate, dubbed “Famous Chollima” or “Wagemole,” has unleashed a sophisticated Python-based malware named “PylangGhost” targeting cryptocurrency professionals, particularly in India. Cisco Talos, in a Wednesday report, exposed this remote access trojan (RAT) as a cunning tool designed to plunder passwords from crypto wallets and password managers, exploiting the ambitions of job seekers in the blockchain and cryptocurrency sectors. The group’s tactics hinge on elaborate social engineering schemes, masquerading as recruiters from reputable firms like Coinbase, Robinhood, and Uniswap to ensnare unsuspecting victims.
The attackers orchestrate fraudulent job platforms that mimic legitimate companies, guiding candidates through a deceptive multi-stage process. Initial outreach from sham recruiters funnels victims to skill-assessment websites, where data harvesting begins. The ruse deepens with fake interview invitations, during which victims are duped into enabling video and camera access and executing malicious commands under the guise of installing updated video drivers, unwittingly compromising their devices.
PylangGhost, a derivative of the previously identified GolangGhost RAT, grants hackers remote control over infected systems, pilfering credentials and cookies from over 80 browser extensions, including high-profile targets like MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.
Beyond credential theft, the malware’s versatility enables it to capture screenshots, manage files, gather system data, and maintain persistent remote access, amplifying its destructive potential. Cisco Talos noted that the code’s structure suggests it was crafted without reliance on artificial intelligence large language models, based on embedded comments. This is not the first instance of North Korean-linked groups weaponising fake job offers; earlier in April, hackers tied to the $1.4 billion Bybit heist employed similar tactics, embedding malware in sham recruitment tests aimed at crypto developers.
