A North Korean-linked hacking group has been targeting job seekers in the crypto industry with new malware designed to steal passwords for crypto wallets and password managers.
According to a Wednesday report from Cisco Talos, the threat actor—identified as “Famous Chollima,” also known as “Wagemole”—is behind a newly discovered Python-based remote access trojan (RAT) dubbed “PylangGhost.”
The group has primarily focused its attacks on individuals in India with experience in cryptocurrency and blockchain, using fake job interview campaigns and social engineering tactics to lure victims.
“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies.”
Fake Job Sites and Skill Tests Used as Front for Malware Attacks
The attackers set up fake job websites impersonating well-known companies like Coinbase, Robinhood, and Uniswap, leading victims through a carefully crafted, multi-step recruitment process.
It begins with outreach from fake recruiters, who then direct targets to skill-testing platforms—where the actual data harvesting and malware deployment take place.
Next, victims are persuaded to enable video and camera access for fake interviews, during which they’re tricked into copying and executing malicious commands under the guise of installing updated video drivers—ultimately leading to their devices being compromised.
Malware Payload Specifically Targets Crypto Wallets
Cisco Talos reported that PylangGhost is a variant of the previously documented GolangGhost RAT, sharing much of its core functionality.
Once executed, the malware enables remote control of the infected system and facilitates the theft of cookies and credentials from more than 80 browser extensions. These include popular password managers and crypto wallets such as MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.
Multitasking malware
The malware is capable of performing a wide range of functions, including executing various commands, taking screenshots, managing files, stealing browser data, gathering system information, and maintaining persistent remote access to compromised devices.
Researchers also noted that, based on the code comments, it’s unlikely the threat actors used a large language model or AI assistance to develop the malware.
Fake Job Lures Are Nothing New in Cyberattacks
This isn’t the first time North Korean-linked hackers have used fake job offers and interviews as a tactic to ensnare victims.
Back in April, attackers connected to the $1.4 billion Bybit heist targeted crypto developers through bogus recruitment tests embedded with malware.
