A North Korean state-linked hacking group is deploying a sophisticated cyber campaign aimed at infiltrating top crypto firms through fake job application processes, according to new research by Cisco Talos.
The group, known as Famous Chollima, is distributing a Python-based remote access trojan (RAT) dubbed PylangGhost, which is disguised as part of a fake hiring process. Victims—primarily blockchain professionals in India—are being lured via polished fake career sites impersonating companies like Coinbase, Robinhood, and Uniswap.
Once a candidate fills out basic information and completes a staged technical assessment, they’re prompted to run a terminal command that secretly installs the malware. The malicious code is bundled inside a ZIP file that contains a renamed Python interpreter (nvidia.py), Visual Basic scripts, and multiple modules enabling full system access, including file transfer, browser data theft, and credential harvesting.
The PylangGhost malware is a rewrite of the earlier GolangGhost RAT, retaining similar naming conventions and functionalities, but tailored for Windows systems. Mac users are still being targeted with the original Golang version, while Linux systems remain largely unaffected.
Cisco notes that while there's no direct evidence of corporate network compromise, the broader goal appears to be preemptive infiltration—gaining access to individuals before they’re hired into sensitive roles at major firms.
The malware’s design allows it to extract credentials, session cookies, and wallet data from more than 80 popular browser extensions, including MetaMask, Phantom, and 1Password. All data transfers are routed via RC4-encrypted HTTP packets—an outdated and vulnerable encryption method.
This campaign highlights the increasing sophistication of cyber operations linked to the DPRK, with malware now embedded in social engineering attacks targeting both individual and institutional actors in the crypto ecosystem.
