CyberSecurity news
FlagThis
@blog.talosintelligence.com
//
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.
This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS.
PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception.
ImgSrc: media.mstdn.soc
References :
This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS.
PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception.
ImgSrc: media.mstdn.soc
Share:
References :
- blog.talosintelligence.com: Talos Intelligence blog post about the Python version of GolangGhost RAT.
- Cisco Talos: Talos Security's post on Mastodon about Famous Chollima targeting cryptocurrency/blockchain professionals with the new PylangGhost RAT.
- Cisco Talos Blog: Famous Chollima deploying Python version of GolangGhost RAT
- hackread.com: N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam
- securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
- securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
- Virus Bulletin: Cisco Talos recently identified PylangGhost, a Python-based version of the GolangGhost RAT used exclusively by Famous Chollima, a North Korea-aligned threat actor.
Classification:
- HashTags: #APT #Cybersecurity #Malware
- Company: Talos
- Target: Cryptocurrency Professionals
- Attacker: Famous Chollima
- Product: PylangGhost RAT
- Feature: RAT
- Malware: PylangGhost
- Type: Malware
- Severity: Major