New Threat Targets Blockchain Workers Using Fake Interviews and Python-Based Malware
North Korean-linked cybercriminals have launched a targeted phishing campaign aimed at crypto professionals, using fake job interviews and malicious software to steal wallet credentials and password manager data.
According to a recent report by Cisco Talos, the malware — dubbed PylangGhost — is a Python-based remote access trojan (RAT) linked to the threat group Famous Chollima, also known as Wagemole. This hacking collective has a documented history of targeting crypto industry insiders, often under the guise of job recruitment.
Fake Job Sites Mimic Major Crypto Firms
Attackers use fraudulent websites that imitate well-known companies like Coinbase, Robinhood, and Uniswap, tricking victims into multi-step “interview” processes. These steps involve fake recruiters, skill-testing portals, and video interview setups.
During the interviews, targets are urged to enable video and camera access and are instructed to run terminal commands under the false pretense of installing video drivers — commands that silently download and execute the PylangGhost malware.
PylangGhost: A Stealthy Variant of GolangGhost
PylangGhost is a variant of the previously known GolangGhost RAT. It allows attackers to remotely control compromised devices and is equipped to steal cookies, browser credentials, and private keys from over 80 browser extensions.
This includes popular crypto wallets and password managers such as:
- MetaMask
- Phantom
- 1Password
- NordPass
- Bitski
- Initia
- TronLink
- MultiverseX
The malware also supports additional capabilities, including:
- Taking screenshots
- Managing and deleting files
- Collecting system information
- Maintaining persistent remote access
Target Region and Threat Scope
The primary focus of this campaign appears to be blockchain developers and crypto professionals in India, though similar tactics have previously been observed in other regions. Cisco Talos researchers noted that the attackers likely did not use artificial intelligence to generate the malware, based on handwritten code comments and code structure.
Conclusion
This incident serves as a strong reminder that cybersecurity threats are evolving, especially in the crypto sector. Blockchain professionals must remain cautious of unsolicited job offers, particularly those that involve unfamiliar processes or technical instructions. Verifying company legitimacy and avoiding suspicious links or downloads remains critical for protecting both personal and financial data.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.