‘PylangGhost’ Trojan Linked to Fake Job Campaigns Targeting Wallet Credentials
Cybersecurity researchers at Cisco Talos have uncovered a new Python-based malware campaign believed to be orchestrated by North Korean-linked hackers. The attack primarily targets cryptocurrency and blockchain professionals, particularly job seekers, through fake hiring websites and phishing interviews designed to steal sensitive credentials.
The newly identified malware, dubbed PylangGhost, has been attributed to a threat group known as Famous Chollima, also referred to as Wagemole. Cisco Talos released its findings in a report on Wednesday, warning of a rise in targeted attacks against crypto workers globally, with a concentration of activity in India.
How the Attack Works: Fake Job Listings as Entry Point
The hacking campaign begins with fraudulent job recruitment schemes, in which attackers impersonate recruiters from well-known cryptocurrency firms such as Coinbase, Uniswap, and Robinhood.
Victims are contacted via professional platforms or email and are invited to participate in multi-stage interviews, during which they are directed to bogus testing websites. These websites serve as data collection hubs where attackers gather personal and technical information.
“It is clear that Famous Chollima is broadly targeting individuals with prior experience in blockchain and cryptocurrency technologies,” Cisco Talos said in its analysis.
Social Engineering and Malware Deployment
During the so-called interview process, victims are asked to enable video and microphone access, often under the pretense of testing compatibility for remote roles. They are later instructed to install fake software updates, such as video drivers, which actually serve as vectors to deploy the PylangGhost remote access trojan (RAT).
This sophisticated form of social engineering is effective in convincing even experienced professionals to unknowingly compromise their own systems.
About the Malware: PylangGhost
PylangGhost is a modified version of the GolangGhost malware previously attributed to the same threat group. According to Cisco Talos, the new variant has similar features but is written in Python, allowing for rapid development and greater flexibility.
Once installed, PylangGhost enables full remote access to the infected system. It begins exfiltrating sensitive data, including:
-
Cookies and saved passwords
-
Cryptocurrency wallet credentials
-
Password manager data
-
Session tokens and browser extensions
The malware targets over 80 popular browser extensions, including those tied to:
-
MetaMask
-
Phantom
-
1Password
-
NordPass
-
Bitski
-
Initia
-
TronLink
-
MultiverseX
Who Is Famous Chollima?
Famous Chollima is a long-known North Korean cyber threat actor believed to be connected to state-sponsored hacking operations. It has been active under multiple aliases and has historically targeted financial institutions, blockchain companies, and technology developers.
Security researchers believe that Wagemole or Famous Chollima operates as part of the Lazarus Group, which has been responsible for some of the most damaging cyberattacks linked to North Korea, including the $625 million Axie Infinity hack.
Crypto Industry Remains a Top Target
The cryptocurrency sector has become a prime target for cybercriminals and nation-state actors due to its decentralized nature, large asset holdings, and often limited internal security protocols.
A recent report by Chainalysis noted that over $51 billion in illicit crypto transactions occurred in 2024, with state-sponsored actors from North Korea responsible for a significant share.
Cisco Talos emphasized the need for companies and job seekers alike to exercise extreme caution during digital recruiting processes.
“Crypto professionals need to be especially alert to recruitment-based social engineering, as attackers exploit industry interest and remote work trends,” the firm warned.
What to Watch For: Key Red Flags
Cybersecurity professionals advise vigilance when engaging with unsolicited job opportunities in the crypto sector. Some key warning signs include:
-
Email addresses not tied to official company domains
-
Requests to download or install software for interviews
-
Overly aggressive or rushed hiring processes
-
Websites that mimic—but do not exactly match—official domains
Professionals are urged to cross-verify recruiter identities, only apply via official career portals, and avoid downloading any interview-related software unless vetted independently.
Conclusion
The PylangGhost campaign underscores a worsening threat landscape for crypto professionals, as North Korean-linked threat actors continue to evolve their tactics. With fake job campaigns serving as the latest vehicle for malware deployment, the intersection of remote work culture and crypto sector targeting is becoming increasingly dangerous.
Security experts recommend that all cryptocurrency companies and professionals enhance their cybersecurity hygiene, including the use of multi-factor authentication, regular wallet audits, and endpoint protection tools.
As the blockchain sector continues to grow in value and influence, so too will the sophistication and persistence of cyber threats against its workforce.
