- A North Korean-linked Hacking group is using fake crypto job offers to target job seekers mainly in India.
- The group deploys Python-based Malware, called “PylangGhost,” to steal credentials for crypto wallets and password managers.
- Victims are directed to fake job sites and tricked into running harmful commands during bogus interview processes.
- PylangGhost can steal browser cookies, manage files, take screenshots, and maintain remote access to compromised devices.
- The attackers focus on individuals with experience in cryptocurrency and blockchain technologies.
A hacking group affiliated with North Korea has targeted job seekers in the cryptocurrency industry using a new malware called "PylangGhost," according to security researchers at Cisco Talos. The group, known as "Famous Chollima" or "Wagemole," has mainly focused its efforts on India by creating fake recruitment campaigns and job sites that imitate legitimate organizations, such as Coinbase and Robinhood, to steal information.
The attackers invite victims to participate in job interviews through fraudulent sites and require them to perform technical tasks that secretly install malware on their computers. Cisco Talos reported that this malware, written in Python, enables remote control of the infected device and specifically targets credentials stored in browser extensions, including crypto wallets like MetaMask and password managers such as 1Password and NordPass.
The malicious software, which is a variant of the previously observed GolangGhost RAT, can execute a range of commands once installed. "Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies," the researchers said in their report. The trojan allows attackers to steal cookies and credentials from over 80 different browser extensions, as well as take screenshots, collect system information, and control files on the infected machines.
Victims are typically asked to enable video and camera access for fake interviews, then instructed to run commands under the pretense of installing video drivers. These actions result in system compromise and data theft. Earlier similar campaigns from North Korean-linked groups have also targeted crypto industry employees through fake job and interview processes.
According to Cisco Talos, the code of PylangGhost does not appear to be written with assistance from Artificial Intelligence. In April, hackers linked to the $1.4 billion Bybit theft targeted crypto developers using malware-laden recruitment tests, demonstrating the continued use of this tactic by North Korean-backed threat actors.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Hyperliquid’s HYPE Token Plunges 6% After All-Time High Surge
- Circle Narrows Gap as USDC Gains Market Share on Tether’s USDT
- Elon Musk’s X to Add Payments, Investments & X-Branded Cards
- Wrapped Bitcoin on TRON Deemphasized Amid Transparency Issues
- Prenetics Buys $20M in Bitcoin, Hires Trump-Linked Crypto Advisor
