North Korean-aligned threat actors have been targeting job seekers in the cryptocurrency industry with a new remote access trojan (RAT), identified as “PylangGhost” by Cisco Talos.

According to the report published on Wednesday, PylangGhost is linked to the hacking collective known as “Famous Chollima” or “Wagemole.”

“Based on the advertised positions, it is clear that Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies.”

Fake Job Sites and Tests a Cover for Malware

Fraudulent job sites impersonating legitimate companies like Coinbase, Robinhood, and Uniswap were used to initiate attacks.

Fraudulent job sites and skill-testing campaigns were employed as part of a multi-stage social engineering campaign.

Victims were tricked into enabling camera access and installing malicious drivers under the guise of video interviews, leading to device compromise.

Payload Targets Crypto Wallets

PylangGhost, a Python-based variant of the previously known GolangGhost RAT, enables remote device control and steals credentials from numerous browser extensions.

Upon execution, the malware steals cookies and credentials from password managers and cryptocurrency wallets including MetaMask, 1Password, Phantom, and others.

Multitasking Malware Capabilities

The malware offers extensive remote access and data exfiltration capabilities, including screenshot capture, file management, browser data theft, and system information gathering.

Cisco Talos noted the lack of AI model assistance in code comments, suggesting human authorship.

Fake Job Lures Not New

This tactic is consistent with known North Korean cybercrime patterns.

Similar recruitment-based attacks previously targeted crypto developers following the $1.4 billion Bybit exchange heist in April.