
Recently, Cisco Talos unveiled a new Python-based remote access trojan (RAT) dubbed PylangGhost, used exclusively by a North Korean-aligned threat actor known as Famous Chollima (a.k.a. Wagemole). The campaign marks the latest evolution of North Korea’s cyber operations targeting cryptocurrency professionals and blockchain developers under the guise of fake job interviews.
“PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities,” Talos reported.
The campaign primarily targets Windows users, with a parallel GolangGhost variant deployed against macOS users. Linux systems are notably excluded from this wave of attacks.
“The attacks are targeting employees with experience in cryptocurrency and blockchain technologies,” the researchers noted, with most victims located in India, according to open-source intelligence.
In classic Contagious Interview (a.k.a. ClickFix) style, the attackers impersonate recruiters from well-known tech firms such as Coinbase, Uniswap, Robinhood, and Archblock. Victims are sent invitation codes directing them to skill-assessment websites built using React, where they are prompted to:
- Submit personal and professional information
- Grant camera access
- Copy and execute a malicious shell command to install video drivers
“Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS,” including PowerShell for Windows and Bash for macOS.
PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Once executed:
- A Visual Basic Script extracts and launches the malware.
- A renamed Python interpreter runs nvidia.py, which:
- Establishes registry persistence
- Connects to a C2 server
- Launches the main command loop
The Python RAT is modular, with six key components:
Module | Functionality |
---|---|
nvidia.py |
Main loop, C2 communication, persistence |
config.py |
Supported commands, RAT versioning |
command.py |
Command handler definitions |
auto.py |
Credential and cookie theft |
api.py |
RC4-encrypted C2 communications |
util.py |
File compression and decompression |
Commands received from the C2 server include:
- File operations (upload, download)
- Remote shell access
- System reconnaissance
- Cookie/credential theft from over 80 browser extensions
“These commands enable remote control of the infected system and the theft of cookies and credentials… including Metamask, 1Password, NordPass, Phantom, and TronLink,” the report confirms.
Interestingly, Talos found that the Python and Golang versions share highly similar function names, module structures, and command sets, suggesting shared development efforts.
By retooling existing malware in Python, Famous Chollima demonstrates its strategic intent to bypass OS-specific defenses and deceive job-seeking developers through highly tailored social engineering.