North Korean Hackers Unleash PylangGhost: A New Python-Based Malware Targeting Crypto Job Seekers

Holy smokes! Cisco's top-notch threat intelligence squad, Cisco Talos, just dropped the bomb on a slick new Python-based malware they're calling 'PylangGhost.' And guess what? It's the brainchild of none other than the notorious North Korean hacking crew, Famous Chollima!

Get this: according to Cisco Talos's latest blogpost, PylangGhost is the go-to weapon for North Korea's cyber thugs, aiming straight at the hardware of folks hunting for jobs in the wild world of crypto.

PylangGhost ain't your average malware—it's a fresh-off-the-press Python-based remote access trojan, pulling moves like its predecessor, GolangGhost RAT, which Cisco Talos unearthed back in December 2024.

And here's the latest scoop: the cybersecurity gurus at Cisco Talos just caught Famous Chollima red-handed, using PylangGhost to sneak into Windows systems while still dishing out a Golang version for MacOS users. The open-source data's pointing fingers at India, where most victims are falling prey to this digital menace.

These North Korean hackers, also known as "Wagemole," are notorious for their crafty attempts to swipe passwords, infiltrate crypto wallets, and snatch other juicy info through bogus job listings online.

How do North Korean hackers catch their victims?

Hold onto your hats, because the report spills the beans on how these hackers reel in their victims. They're using fake job interview campaigns, pulling off some seriously slick social engineering stunts. They set up sham job sites posing as big shots like Coinbase, Robinhood, and Uniswap.

The victims get roped into a multi-step dance led by fake recruiters. They're lured into opening sketchy skill-testing sites where their personal info gets scooped up like candy.

Then, as they prep for the fake interview, the user gets tricked into giving the site permission to tap into their camera and mic. That's when the fake recruiter pulls a fast one, coaxing them to copy and run malicious commands, all under the guise of installing fancy new video drivers.

Boom! Once those commands hit, PylangGhost swoops in, hijacking the device and handing the attackers the keys to the kingdom. They can now take over the infected device and swipe cookies and credentials from over 80 browser extensions.

We're talking full access to password managers and crypto wallets like MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX. It's a digital heist of epic proportions!

And if you thought that was wild, get this: back in April, another North Korean hacking gang, Lazarus Group, pulled off similar stunts, deploying fake job apps laced with at least three strains of malware linked to North Korean cyber ops. The crypto world's on high alert, folks!