North Korean Hackers Target Crypto Job Seekers with PylangGhost Malware

A North Korean-aligned threat actor has been targeting job seekers in the crypto industry with new malware designed to steal passwords for crypto wallets and password managers. The malware, named PylangGhost, is a Python-based remote access trojan (RAT) linked to a North Korean-affiliated hacking collective known as Famous Chollima, also referred to as Wagemole. This group has been focusing on individuals with cryptocurrency and blockchain experience, primarily in India, using fake job interview campaigns and social engineering tactics.

The attackers create fraudulent job sites that mimic legitimate companies, such as CoinbaseCOIN--, Robinhood, and Uniswap. Victims are guided through a multi-step process that includes initial contact from fake recruiters who send invites to skill-testing websites where information gathering occurs. During fake interviews, victims are tricked into enabling video and camera access and copying and executing malicious commands under the pretense of installing updated video drivers, resulting in the compromise of their device.

PylangGhost is a variant of the previously documented GolangGhost RAT and shares similar functionality. Upon execution, the commands enable remote control of the infected system and the theft of cookies and credentials from over 80 browser extensions. These include password managers and cryptocurrency wallets, such as MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX. The malware can also carry out other tasks, including taking screenshots, managing files, stealing browser data, collecting system information, and maintaining remote access to infected systems.

This is not the first time North Korean-linked hackers have used fake jobs and interviews to lure their victims. In April, hackers linked to the $1.4 billion Bybit heist were targeting crypto developers using fake recruitment tests infected with malware. The use of AI-generated deepfakes to impersonate company executives during ZoomZM-- calls is a novel tactic, where victims are lured into downloading fake Zoom extensions that install a custom-built Mac malware suite. This suite includes info-stealers, keyloggers, and backdoors, demonstrating an unusually advanced level of tradecraft. The malware can monitor clipboard activity and execute commands when the screen is off, making it difficult to detect.

The initial access to the victim's system is gained through a seemingly benign meeting request sent via Telegram. The request includes a Google Meet invite hosted on Calendly, which redirects the user to a fake Zoom site controlled by the threat actors. During the Zoom call, AI-generated deepfakes of the victim's bosses ask them to install a 'Zoom extension' to fix a microphone issue. This extension is actually the malware that infects the system. The malware campaign is attributed to the North Korean APT subgroup known as BlueNoroff, a state-sponsored threat actor known for targeting cryptocurrencies since at least 2017. BlueNoroff has been involved in previous campaigns, such as "Contagious Interviews," where attackers posed as recruiters offering fake job interviews to steal credentials and establish long-term access.

The malware suite recovered from the infected Mac includes eight distinct malicious binaries, each with specific tasks. The primary implant, 'Telegram 2,' is written in Nim and embedded itself as a macOS LaunchDaemon to maintain persistence. It acts as a launchpad for other tools, including the Go-based 'Root Troy V4' backdoor and 'CryptoBot,' a dedicated crypto stealer that hunts for wallet data across various Web3 plugins. The attack also includes a C++ loader capable of process injection on macOS, an area rarely breached at this depth. Other significant payloads include XScreen, a keylogger with screen and clipboard capture capabilities, and NetChk, a decoy binary that runs infinite loops to muddy the system’s process list.

To mitigate the threat, experts recommend leveraging existing technical capabilities such as MDM platforms that enforce least privilege and prevent local admin access or unapproved installs. EDR solutions that offer real-time visibility into endpoint activity and alert on suspicious behavior are also essential. Layered defenses that combine user training with strong endpoint controls, policy enforcement, and behavioral analytics are not optional but essential in staying ahead of such sophisticated threats.