Key Takeaways:
- North Korea-linked group Famous Chollima escalates attacks using Python-based “PylangGhost” malware via fraudulent job portals.
- Victims are lured into downloading malware disguised as video drivers during fake interview tests.
- Malware extracts data from over 80 browser extensions, including popular crypto wallets and password managers.
Since mid-2024, the North Korean-aligned cybercriminal group Famous Chollima, also tracked as Wagemole, has launched increasingly deceptive campaigns targeting professionals in the crypto industry. These attacks, disguised as employment opportunities, rely on fake job listings at well-known companies such as Coinbase, Robinhood, and Uniswap.
The attackers attract unsuspecting candidates by posing as recruiters offering interviews. Once the user is engaged, they are directed to skill-testing portals, usually built with the React framework and made to resemble official company pages.
Candidates are required to complete tasks and submit personal information, after which they are asked to record a video for the interviewer. At this stage, the website prompts them to grant camera access and execute a malicious command supposedly required to install video drivers.
Cisco Talos researchers discovered that these commands differ based on the target’s operating system and browser fingerprint. On Windows and macOS, users are shown detailed instructions to install what turns out to be a Trojan payload disguised as a ZIP file. Linux users, however, often encounter an error page, halting the malware installation process.
PylangGhost Replaces GolangGhost in Newer Campaigns
By late 2024, security researchers spotted a Remote Access Trojan tucked inside the final wave of phishing emails; the payload, named GolangGhost, was written in the Go language. Then, in May 2025, Cisco Talos revealed a fresh spin called PylangGhost; it used Python yet behaved almost exactly like its Go predecessor.
PylangGhost springs to life the moment a user runs the right command; that action pulls down a ZIP file packed with the Python malware. Inside sits nvidia.py, which starts the infection by carving out persistence paths in the Windows registry, crafting a unique system ID, and dialing out to its Command and Control server.
After that, it falls into a message loop, listening and waiting for orders. The RAT is split into six interchangeable modules: auto.py swipes passwords and browser history, api.py talks back using RC4 encryption, and util.py handles file zipping. Experts noted almost identical naming schemes in the Go and Python code, hinting that one team or at least tightly linked groups wrote both versions.
Credential Theft and Crypto Wallet Targeting
Once it settles on a device, the PylangGhost trojan begins a wide-ranging grab for private information. It can open more than eighty browser add-ons, hunting down cookies, saved passwords, and secret keys.
Among its prized catches are crypto wallets like Metamask, Phantom, and TronLink, plus password vaults such as 1Password and NordPass. With these tokens in hand, crooks can drain digital wallets and pretend to be legitimate users inside corporate accounts.
Because crypto and security now overlap so closely, this operation highlights a rising brand of money-driven spying. Cisco Talos therefore advises anyone in the crypto space not to run unvetted shell commands and to double-check all work messages, especially those that ask for system-level installs.
Also Read: Australia Shuts Down 95 Firms Linked to Crypto Scams, $35.8M in Losses