In May, a Python-based remote access trojan (RAT) called PylangGhost was discovered. The malware is distributed by DPRK hackers Famous Chollima because of the job offers in the cryptocurrency industry.
The Python-based virus targets Windows users, while the Golang version targets macOS users. So far, only a few people have been affected, mostly in India.
Since mid-2024, North Korean hackers Famous Chollima (also known as Wagemole) have been actively spreading various variants of the Contagious Interview virus (also known as DeceptiveDevelopment) and creating fake job ads and testing pages. In the latter case, users were prompted to copy and paste (ClickFix) a malicious command line command to install drivers required for the final stage of the skills test.
Late last year, researchers documented a remote access trojan (RAT) called GolangGhost in source code format. Last year, cybercriminals began deploying a functionally equivalent version of the GolangGhost trojan in Python, called PylangGhost.
Recruitment phishing sites mislead users to become infected with PylangGhost: first, by creating fake employers to obtain personal information from jobseekers, and second, by placing fake employees as workers in targeted victim companies.
The victims are experienced blockchain developers and crypto professionals, luring them with positions at well-known companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap, and others. Each target receives an invitation code to visit a test website where, depending on the position, they are asked to enter their details and answer a few questions to test their experience and skills. The sites are built using the React framework and have a very similar visual design, regardless of the type of position.
After the user answers all the questions and provides personal data, the site shows an invitation to record a video for the interviewer, recommending that the user allow access to the camera by clicking a button. Finally, when the user grants access to the camera, the site asks to copy, paste, and execute a command to supposedly install the necessary video drivers. After downloading and installing, the virus begins to infiltrate the system.
After that, hackers are able to remotely control the infected system and steal cookies and credentials from more than 80 browser extensions, including password managers and cryptocurrency wallets: Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.
Source: Cisco Talos
Spelling error report
The following text will be sent to our editors: