Cisco Talos: New North Korean threat ‘PylangGhost’ targets crypto workers through fake job sites

Cisco’s threat intelligence organization, Cisco Talos, has detected a new Python-based malware called ‘PylangGhost.’ It is linked to the North Korean hacking group, Famous Chollima.

According to a recent blogpost by Cisco Tallos, the PylangGhost is exclusively used by North Korea-affiliated cyber threat actors to infiltrate the hardware belonging to job seekers looking for roles in the crypto industry.

The PylangGhost is a new kind of Python-based remote access trojan that functions similarly to the previously documented GolangGhost RAT that was discovered by Cisco Talos back in December 2024.

Most recently, the cybersecurity firm found that it has been actively used by the hacking group called Famous Chollima to infiltrate Windows systems, while continuing to deploy a Golang-based version for MacOS users. So far, open-source data indicates that most of the victims affected by the malware are based in India.

Famous Chollima is also nicknamed “Wagemole” because of their repeated attempts to steal passwords and infiltrate user’s crypto wallets as well as nab other sensitive information through fake job openings online.

How do North Korean hackers catch their victims?

According to the report, the hacker group lures its victims in through fake job interview campaigns using social engineering. The attackers then create fake job sites that impersonate major crypto firms, including Coinbase, Robinhood and Uniswap among others.

The victims are then required to take part in multiple steps, initiated by fake recruiters. They are then invited to open fraudulent skill-testing websites where their personal information is gathered.

When preparing for the fake interview, the user is then tricked into enabling permission for the site to access their camera and microphone access. During this phase, the fake recruiter will ask them to copy and execute malicious commands under the pretense of installing updated video drivers.

Upon command execution, the malware is able to infiltrate their device. The command enables remote control access of the infected device and grants attackers access to cookies and credentials from over 80 browser extensions.

These include access to password managers and cryptocurrency wallets, including MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.

As previously reported by crypto in April, another North Korean hacking collective, Lazarus Group, have also used similar methods to lure in users. The attackers would deploy fake job applications with at least three strains of detected malware linked to North Korean cyber operations.