Cybersecurity researchers at Cisco Talos uncovered a critical evolution in the toolkit of the North Korean-aligned threat group known as Famous Chollima.
This advanced hacking collective has been actively leveraging a dual-variant Remote Access Trojan (RAT) campaign targeting both Windows and MacOS platforms, specifically aiming at employees with expertise in cryptocurrency and blockchain technologies.
The RAT familiarly dubbed GolangGhost for its Go-based original incarnation is now complemented by a newly discovered Python-based variant named PylangGhost.
While the GolangGhost RAT has long been recognized for infiltrating MacOS environments, the emergence of PylangGhost marks a strategic expansion of Chollima’s operations to Windows systems, leaving Linux users largely unscathed in the current campaigns.
Deceptive Job Recruitment
The attack chain initiates with deceptive online recruitment platforms that impersonate legitimate companies prestigious in the crypto and software industries, including Coinbase, Robinhood, Uniswap, and others.
These fake job portals invite professionals to submit personal details and complete elaborate skill assessment questionnaires hosted on React-based web frameworks.
Following completion, targets are prompted to record a video interview, which serves as the bait for the RAT deployment.
Upon requesting camera access, users receive instructions to execute malicious command lines tailored to their OS environment PowerShell or Command Shell on Windows, Bash on MacOS that download and install the RAT payload under the guise of video driver updates.
The commands are customized based on browser fingerprinting to evade detection and maximize infection efficacy.
Technical Architecture of PylangGhost
PylangGhost operates through a multi-module Python architecture, mirroring the functionality of GolangGhost in a structurally parallel manner.
The infection process begins with downloading a ZIP archive containing various Python modules and a Visual Basic Script (VBS) dropper.
The VBS script unpacks a Python runtime and launches the RAT using a disguised Python script named nvidia.py.
Once executed, nvidia.py configures persistent system autorun entries, generates unique system GUIDs for command-and-control (C2) communications, and establishes encrypted HTTP channels with remote servers.
The RAT implements a command loop that listens for instructions to conduct espionage activities including file upload/download, OS shell execution, and extensive credential theft.
Credential theft capabilities are particularly impactful: the RAT extracts saved cookies, passwords, and session data from over 80 browser extensions, notably targeting cryptocurrency wallets and password managers such as MetaMask, 1Password, NordPass, Phantom, and TronLink.
The Python and Golang versions share nearly identical modules performing core functions configuration handling, command processing, automated credential harvesting, compression utilities, and communication protocols suggesting a single development team or closely collaborating actors.
The C2 communication notably employs RC4 encryption over otherwise clear HTTP, using an RC4 key embedded in the packet alongside an MD5 checksum for data integrity.
To date, Talos reports a concentrated victim profile primarily in India with no indication of compromise within Cisco’s customer base.
The adversary’s tactics also involve deploying fake employees within target firms after harvesting sensitive personal and corporate data.
Cisco’s security suite namely Secure Endpoint, Secure Email, Secure Firewall, and Secure Network/Cloud Analytics provides layered defense mechanisms capable of detecting and mitigating this threat.
Malware analytics tools like Cisco Threat Grid identify suspicious binaries, while multi-factor authentication with Cisco Duo adds critical access protection.
Enterprise users are advised to apply security controls that block known malicious domains and binaries associated with GolangGhost and PylangGhost.
The discovery of PylangGhost underscores the increasingly sophisticated and adaptive nature of state-sponsored cyber-espionage campaigns, blending social engineering with multi-platform malware development to exploit emerging technology sectors.
Organizations operating in the cryptocurrency space should remain vigilant and employ comprehensive endpoint and network security solutions to mitigate exposure to these evolving threats.
Indicators of Compromise (IOC)
| Type | Example (Truncated) |
|---|---|
| SHA256 Hash | a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a |
| C2 Servers | 31.57.243[.]29:8080, 154.58.204[.]15:8080 |
| Download Domains | api[.]quickcamfix[.]online, api[.]nvidia-drive[.]cloud |
| Fake Job Domains | krakenhire[.]com, robinhood[.]ecareerscan[.]com |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1 "Password Reset Link Vulnerability")
