- Trending
- Comments
- Latest
North Korean Hackers are unleashing a new wave of crypto-targeted cyberattacks using a powerful Trojan called PylangGhost.
North Korean Hackers have escalated their attacks on the crypto industry with a powerful new threat—PylangGhost, a Python-based Trojan that’s deceiving blockchain professionals through fake job interviews.
Masquerading as recruiters from major firms like Coinbase and Robinhood, these state-backed cybercriminals are now exploiting human trust to steal digital fortunes.
This alarming new campaign demonstrates how North Korean Hackers are evolving their playbook, pivoting from brute-force intrusion to masterful social engineering.
The malware, dubbed PylangGhost, was uncovered by cybersecurity experts at Cisco Talos and linked to the “Famous Chollima” threat group, a known arm of North Korea’s state-sponsored Lazarus Group.
At the heart of the attack is a carefully orchestrated scam: North Korean Hackers impersonate hiring managers from Coinbase, Uniswap, and Robinhood, luring skilled professionals through fake job listings.
“Once inside the fake interview ecosystem, the malware does the rest,” said Vanja Svajcer, a threat researcher at Cisco Talos.
“It mimics the entire hiring process, from skill assessments to video interviews, all designed to coax victims into downloading malicious files.”
Targets are invited to React-based fake hiring portals that mimic real corporate testing platforms.
These sites are packed with technical questions to legitimize the process—then bait victims with instructions to install bogus video drivers.
When unsuspecting users comply, PylangGhost unpacks. This modular malware does more than scrape credentials—it hijacks system access, runs OS shell commands, and compromises crypto wallets like MetaMask, Phantom, Bitski, and TronLink.
PylangGhost is no ordinary Trojan. Once deployed, it disguises its presence under filenames like nvidia.py, builds persistence via registry edits and communicates with remote command-and-control servers using unique system GUIDs. According to Cisco’s findings, it can:
Exfiltrate browser-stored passwords
Harvest session cookies and authentication tokens
Target over 80 browser extensions and wallet plugins
Deploy file upload/download modules and full shell access
“The technical sophistication of this tool indicates deep state-level support and planning,” noted Joe Slowik, threat intelligence principal at Huntress.
While global in scope, this wave of attacks appears to focus on crypto developers and engineers in India, a hub for blockchain innovation.
Using geo-targeting and browser fingerprinting, North Korean Hackers tailor each attack to maximize effectiveness.
Once infected, victims often remain unaware for weeks, during which time their wallets and credentials are silently siphoned away.
Major exchanges are fighting back. Kraken recently intercepted a North Korean mole posing as a job applicant.
“Our red team flagged unusual metadata in the applicant’s documents,” Kraken CISO Nick Percoco revealed. “This gave us a window into the Lazarus playbook.”
BitMEX also conducted a counterintelligence sweep that exposed IP ranges linked to the group, revealing fragmented structures and regional command nodes.
With North Korean Hackers refining their methods, the crypto world must brace for a long-term battle.
Fake recruiters, Trojanized interviews, and data exfiltration are no longer fringe tactics—they’re the new norm in this high-stakes cyberwar.
For now, the best defense is awareness. As Svajcer of Cisco concluded, “If a recruiter ever asks you to install software, you’re not getting hired—you’re getting hacked.”
Copyright © 2025 - The Bit Gazette.
