The PylangGhost Malware

The incident-related malware, named PylangGhost by Cisco Talos, steals credentials and session cookies from over 80 popular browser extensions, including security tools like 1Password and password managers, as well as cryptocurrency wallets (e.g., MetaMask, Phantom). Once installed, the RAT establishes persistent remote access to infected systems via command-and-control servers.

The campaign specifically targets Windows systems. Cisco Talos linked the malware and operation to the North Korean-affiliated hacking collective “Famous Chollima,” also known as Wagemole, which has previously conducted similar recruitment-based attacks since at least 2023, including campaigns like “Contagious Interview” and “DeceptiveDevelopment.”

A Targeted Deception Tactic

Fraudulent job sites impersonating legitimate crypto companies (Coinbase, Uniswap, Robinhood), primarily in India, are used to lure targets. Candidates first undergo skill-testing websites, then attempt a video interview. Their browser access is tricked via commands disguised as legitimate video driver installation prompts (“autodriverfix online”) during the remote interview process.

“Based on the advertised positions, it is clear that Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies,” Talos noted.

Broader Context and Prevalence

This latest operation fits into North Korea’s broader pattern of crypto-centric cybercrime, exemplified by groups like Lazarus, responsible for major exchange heists. The focus appears to be widening from financial theft to gathering intelligence and infiltrating companies internally through compromised employees.

Recent examples include the March attack by “BlockNovas LLC” (later seized by the FBI) and incidents like the $50 million Radiant Capital hack earlier this year, where operatives sent malware-laden PDFs. Kraken also successfully identified and thwarted a similar North Korean applicant through basic identity verification.

The group maintains dozens of fake job portals and associated download servers, indicating significant organizational effort dedicated to this reconnaissance and compromise strategy.

Call for Stronger Defenses

Dileep Kumar H V, director at Digital South Trust, called for concrete measures against these emerging threats. He suggested India mandate cybersecurity audits for blockchain firms and monitor fake job websites.

“CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he said, additionally requesting “stronger legal provisions” under India’s IT Act and emphasizing “digital awareness campaigns” among potential victims.

Similar calls likely echo globally, given the persistent threat posed by sophisticated North Korean cyber operations facilitated by crypto heists, such as the recent $659 million confirmed theft across Japan, South Korea, and the US in 2024.