The North Korean hacker group Famous Chollima has developed a new trojan, PylangGhost. The perpetrators distribute it through fake interviews targeting professionals in the crypto industry, according to researchers from Cisco Talos.
How the Scheme Operates
The hackers create fraudulent websites that mimic well-known companies like Coinbase, Robinhood, and Uniswap.
Recruiters direct applicants to these sites for testing. Candidates are then asked to turn on their cameras for a video interview. This requires executing a console command that supposedly installs a video driver. In reality, this command downloads malware.
Capabilities of the Trojan
PylangGhost is a remote access trojan (RAT) written in Python and designed for Windows systems. It is analogous to the previously known GolangGhost virus for macOS. Linux-based systems are not affected in these campaigns.
Once activated, the virus provides remote control over the infected system. It steals cookies and credentials from over 80 browser extensions. Targets include password managers like 1Password and NordPass, as well as crypto wallets such as MetaMask, Phantom, Bitski, and TronLink.
The virus ensures hackers maintain persistent remote access to the infected system.
Researchers noted that the hackers likely did not use large language models to write the virus code.
India as the Primary Target
The perpetrators mainly target professionals from India. Experts highlighted this as part of a broader North Korean strategy. The group not only steals funds from exchanges but also attempts to infiltrate crypto companies to gather intelligence.
Dilip Kumar, Director of Digital South Trust, told Decrypt that to combat such incidents, “India must implement mandatory cybersecurity audits for blockchain companies and monitor fake job portals.”
“CERT-In should issue red alerts, and MEITY and NCIIPC should enhance global coordination in combating cross-border cybercrime,” he said.
Kumar also called for “strengthening legal provisions” under the Information Technology Act and “campaigns to raise digital awareness.”
Back in April, experts from Silent Push reported that the group Contagious Interview, linked to Lazarus, registered three shell companies to distribute malware. These firms are used to deceive users through fake interviews.