In a new twist on phishing attacks, cybersecurity researchers have uncovered a North Korea-linked campaign targeting professionals in the blockchain and cryptocurrency industries using fake job offers to deploy custom malware. The operation, attributed to the hacker group Famous Chollima, involves sophisticated impersonations of legitimate crypto companies, including Coinbase, Uniswap, and Robinhood.
According to a report by Cisco’s Talos threat intelligence unit, the hackers are leveraging a new Python-based malware called PylangGhost, disguised as “video drivers” applicants are tricked into installing as part of a phoney interview process.
The latest campaign builds upon prior tactics used by the same group, which has been active since at least mid-2024. Previous efforts involved fake developer job ads and sham interviews, but the addition of the new malware marks a sharp evolution in technique and sophistication.
From Application to Infection
The attack begins when a targeted professional, typically a developer, marketer, or designer with crypto experience, is contacted by someone posing as a recruiter. After expressing interest, the victim is sent to a realistic-looking skill assessment site built with the React framework. The fraudulent platform mirrors the visual identity of top crypto firms.
After completing the fake assessment, applicants are instructed to film a short video introduction for the hiring team. To do this, they are told to install “video drivers” by copying and pasting commands into their system’s terminal.
Following this step downloads a malicious ZIP file containing the PylangGhost malware.
What the Malware Does
Talos explains that the malware infects both Windows and macOS systems but does not impact Linux users. Once the script runs, it silently installs itself, configures autorun on startup, and establishes a backdoor connection to a command-and-control server.
PylangGhost, a Python variant of the previously known GolangGhost trojan, allows hackers to remotely access the compromised machine, harvest credentials, and extract browser data, including saved passwords and cryptocurrency wallet keys. It targets over 80 different browser extensions, including MetaMask, 1Password, NordPass, and Phantom.
The malware also gathers system information and listens for additional commands from the attackers. Communications with the server are encrypted using RC4, though the encryption key is transmitted along with the data, reducing its effectiveness but helping the malware avoid detection by blending in with legitimate traffic.
A Dual-Purpose Operation
The campaign appears to serve a twofold purpose. First, it enables the theft of sensitive personal and financial data from seekers active in the cryptocurrency industry. Second, it may be designed to embed North Korean operatives in real companies, giving the regime long-term access to proprietary software systems, infrastructure, or funds.
Talos has confirmed only a limited number of victims so far, primarily based in India. No Cisco customers have been affected as of this writing. Analysts also noted that, unlike some recent malware strains, there is no indication that AI tools were used in the development of PylangGhost. Instead, the similarities between the Python and Go versions suggest they were created by the same set of developers.
Warning for the Crypto Workforce
This campaign is another stark reminder of the growing risks facing seekers in the crypto sector. Talos warns applicants to be highly suspicious of any job process that involves installing unfamiliar software or entering terminal commands. Legitimate companies rarely, if ever, require this as part of an interview.
Security professionals are encouraged to review onboarding procedures, especially for remote roles, and to train teams to recognise social engineering threats. Monitoring systems for unusual outbound network traffic or unauthorised file downloads can provide early warning signs of a breach.
With cyberattacks becoming more targeted and technically advanced, the need for robust cybersecurity practices is more urgent than ever, especially in an industry as digitally exposed and financially valuable as crypto.
