North Korea Targets Crypto Jobs With New Malware

A North Korean-aligned threat actor has been targeting job seekers in the crypto industry with new malware that is designed to steal passwords for crypto wallets and password managers.

Cisco Talos reported on Wednesday that it found a new Python-based remote access trojan (RAT) it called “PylangGhost,” linking the malware to a North Korean-affiliated hacking collective called “Famous Chollima,” also known as “Wagemole.”

The hacking group has been targeting job seekers and employees with cryptocurrency and blockchain experience, primarily in India, with the attacks carried out through fake job interview campaigns using social engineering.

“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies.”

Fake job sites and tests a cover for malware

The attackers create fraudulent job sites that impersonate legitimate companies, such as Coinbase, Robinhood and Uniswap, and victims are guided through a multi-step process.

This includes initial contact from fake recruiters who send invites to skill-testing websites where the information gathering occurs.

Sample of fake job website. Source: Cisco Talos

Next, the victims are lured into enabling video and camera access for fake interviews during which they are tricked into copying and executing malicious commands under the pretense of installing updated video drivers, resulting in the compromise of their device.

Payload targets crypto wallets

PylangGhost is a variant of the previously documented GolangGhost RAT, and shares similar functionality, Cisco Talos said.

Upon execution, the commands enable remote control of the infected system and the theft of cookies and credentials from over 80 browser extensions, it reported.

These include password managers and cryptocurrency wallets, including MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.

*Instructions to download the payload. Source:* *Cisco Talos*

Multitasking malware

The malware can carry out other tasks and execute numerous commands, including taking screenshots, managing files, stealing browser data, collecting system information and maintaining remote access to infected systems.

Related: Scammers use fake crypto jobs, ‘GrassCall’ meeting app to drain wallets

The researchers also noted that it was unlikely that the threat actors used an artificial intelligence large language model to help write the code, based on the comments made within it.

Fake job lures not new

It is not the first time North Korean-linked hackers have used fake jobs and interviews to lure their victims.

In April, hackers linked to the $1.4 billion Bybit heist were targeting crypto developers using fake recruitment tests infected with malware.

Magazine: Arthur Hayes doesn’t care when his Bitcoin predictions are totally wrong

North Korea Targets Crypto Jobs With New Malware

Fake job sites and tests a cover for malware

Payload targets crypto wallets

Multitasking malware

Fake job lures not new

Leave a Reply Cancel reply

Fynancial Wins WealthManagement EDGE Tech Demos ‘Best in Show’

Sei Network Paves Way for $200 Billion AI Agent Economy

ETG’s Value-Oriented Investment Approach Could Generate Substantial Growth

Global Super-Prime Housing Markets Rally in 2025

Solana DEX Jupiter Suspends DAO Voting for 2025

Solana DEX Jupiter Pauses DAO Votes, Citing Breakdown in Trust

Bitcoin (BTC) Network Activity Declines Despite Price Surge

Gold Retreats from All-Time Highs: Market Reactions and Investment Insights

Tax Day 2025 Looms: Your Guide to Filing Before the April 15 Deadline

Gramercy Funds Eyes $1 Billion Milestone in Peru Private Debt Investments

Navigating Debt After Loss: Understanding Your Obligations for a Deceased Spouse’s Credit Cards