North Korean threat actors have been deploying malware through fake crypto job sites, targeting blockchain professionals to steal wallet credentials, Cisco Talos says.

A North Korean-aligned threat actor has been targeting job seekers in the crypto industry with new malware that is designed to steal passwords for crypto wallets and password managers.$BTC

Cisco Talos reported on Wednesday that it found a new Python-based remote access trojan (RAT) it called “PylangGhost,” linking the malware to a North Korean-affiliated hacking collective called “Famous Chollima,” also known as “Wagemole.”

The hacking group has been targeting job seekers and employees with cryptocurrency and blockchain experience, primarily in India, with the attacks carried out through fake job interview campaigns using social engineering.$BNB

“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies.” $PEPE

Fake job sites and tests a cover for malware

The attackers create fraudulent job sites that impersonate legitimate companies, such as Coinbase, Robinhood and Uniswap, and victims are guided through a multi-step process. #BinanceSquareFamily

This includes initial contact from fake recruiters who send invites to skill-testing websites where the information gathering occurs.#BTC走势分析

Payload targets crypto wallets 

PylangGhost is a variant of the previously documented GolangGhost RAT, and shares similar functionality, Cisco Talos said.#GENIUSActPass

Upon execution, the commands enable remote control of the infected system and the theft of cookies and credentials from over 80 browser extensions, it reported. 

These include password managers and cryptocurrency wallets, including MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.#SwingTradingStrategy

Multitasking malware 

The malware can carry out other tasks and execute numerous commands, including taking screenshots, managing files, stealing browser data, collecting system information and maintaining remote access to infected systems.

The researchers also noted that it was unlikely that the threat actors used an artificial intelligence large language model to help write the code, based on the comments made within it.#Write2Earn

Fake job lures not new 

It is not the first time North Korean-linked hackers have used fake jobs and interviews to lure their victims. 

In April, hackers linked to the $1.4 billion heist were targeting crypto developers using fake recruitment tests infected with malware.