A North Korean–aligned threat actor has been using a new Python remote access trojan to steal crypto wallet and password manager credentials from job seekers in the crypto industry.
Cisco Talos first spotted this malware, dubbed PylangGhost, in May 2025. The attacks are global but focus on candidates with blockchain and cryptocurrency backgrounds.
The goal is financial gain. The attack works by tricking victims into installing a backdoor under the guise of a video driver for a fake job interview.
Fake Recruitment Scheme
Attackers create phoney companies and pretend to recruit software engineers, designers and marketing staff. Targets get an invite code to a testing website. The site mimics real firms like Coinbase, Robinhood, Uniswap and others.
It is built with React and looks genuine for every role. After filling in personal details and answering skill questions, victims see a prompt to record a video interview. They must grant camera access by clicking a button.
Malicious Payload Delivery
When a candidate clicks to enable the camera, the site shows a command line instruction. Victims copy and paste this into their terminal to “install video drivers.”
On Windows and macOS, the prompt leads to a Python script. That script installs PylangGhost. On Linux, the testing site fails to provide payload instructions. Once run, PylangGhost gives attackers full control of the system.
RAT Capabilities
PylangGhost is a Python variant of the earlier GolangGhost trojan. It can carry out many tasks, such as taking screenshots, and also manage files. It gathers system details. It also steals cookies and credentials from over 80 browser extensions.
These include major password managers and crypto wallets such as MetaMask, 1Password, NordPass, Phantom, Bitski, TronLink and MultiverseX. All stolen data is sent back to the threat actor’s server. The malware also keeps itself active on the system to allow future access.
Link to Famous Chollima
Cisco Talos links PylangGhost to the North Korean-affiliated group known as Famous Chollima or Wagemole. This collective has used fake jobs to lure victims before. They often use two main tactics.
First, they build bogus employers to harvest personal data from job seekers. Then they place fake recruits into target companies to spy from within.
This report focuses on the first tactic. The researchers noted that the code comments suggest the threat actor did not rely on an AI large language model to write the malware.
Growing Threat from North Korean Hackers
North Korean hacker activity has risen in recent years. Groups like Lazarus and APT38 have hit banks, crypto services and government bodies. They often use social engineering and custom malware to steal funds.
In 2024, they stole over $900 million in cryptocurrency. They have also targeted defence contractors and energy firms. The use of fake job offers is a new twist on their phishing campaigns. It shows they will follow victims anywhere, even into the hiring process.
Job seekers should be cautious when applying online. Always verify a company’s website and never run code from unknown sources. Use the latest security tools and enable multi‑factor authentication on wallets and password managers.
Also Read: US Officials Seize $7.7M In Crypto From North Korean Hackers Posing As IT Freelancers