North Korean-backed threat actors are reportedly utilizing novel malware distributed through fabricated cryptocurrency job platforms, specifically targeting blockchain industry professionals to illicitly obtain wallet credentials, according to cybersecurity firm Cisco Talos.
Cisco Talos revealed on Wednesday the discovery of a new Python-based remote access trojan (RAT) they’ve named “PylangGhost.” This malware has been attributed to a North Korean-linked hacking collective known as “Famous Chollima,” also recognized as “Wagemole.”
The hacking group has focused its efforts on job seekers and employees with expertise in cryptocurrency and blockchain technologies, with a notable concentration of attacks in India. These operations are conducted through elaborate fake job interview schemes that heavily rely on social engineering.
“The advertised positions clearly indicate that Famous Chollima is broadly targeting individuals with prior experience in cryptocurrency and blockchain technologies,” stated Cisco Talos in their report.
Deceptive Job Platforms and Tests Mask Malware Delivery
The attackers create fraudulent job websites that mimic legitimate companies such as Coinbase, Robinhood, and Uniswap. Victims are then guided through a multi-stage process designed to compromise their devices. This process often begins with initial contact from fake recruiters who send invitations to skill-testing websites, where the initial information gathering takes place.
Following this, victims are enticed to enable video and camera access for what they believe are legitimate job interviews. During these fake interviews, they are tricked into copying and executing malicious commands under the guise of installing updated video drivers. This ultimately leads to the compromise of their system.
Malware Engineered for Crypto Wallet Theft
Cisco Talos reports that PylangGhost is a variant of the previously identified GolangGhost RAT, sharing similar functionalities. Once executed, the malicious commands grant remote control over the infected system and enable the theft of cookies and credentials. The malware specifically targets over 80 browser extensions, including various password managers and popular cryptocurrency wallets such as MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.
Versatile Malware Capabilities
Beyond credential theft, the PylangGhost malware possesses a range of other capabilities. It can perform tasks like capturing screenshots, managing files on the infected system, extracting general browser data, collecting detailed system information, and maintaining persistent remote access to compromised devices.
Researchers also noted that the code’s internal comments suggest it’s improbable that the threat actors utilized an artificial intelligence large language model in its development.
Recurrent Use of Fake Job Lures
The tactic of using fabricated job opportunities and interviews to ensnare victims is not new for North Korean-linked hacking groups. In April, hackers believed to be connected to the $1.4 billion Bybit heist were observed targeting crypto developers with malicious recruitment tests that contained malware.
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
Wrapped SOL 
Lido Staked Ether 
TRON 
Dogecoin 