North Korean Hackers Target Crypto Job Seekers with Fake Interviews and New Malware

A North Korean hacker group known as Famous Chollima has developed a new Trojan named PylangGhost. According to researchers from [Cisco Talos](https://blog.talosintelligence.com/python-version-of-golangghost-rat/), the malware is being disseminated through fraudulent job interviews aimed at professionals in the cryptocurrency sector.

The attackers create counterfeit websites that mimic well-known companies such as Coinbase, Robinhood, and Uniswap.

Recruiters guide job seekers to these sites for testing purposes. During this process, candidates are prompted to activate their cameras for a video interview by executing a terminal command that supposedly installs a video driver. In reality, this command downloads the malicious software.

PylangGhost is a remote access Trojan (RAT) written in Python, targeting Windows systems. It serves as an equivalent to the previously identified GolangGhost virus found on macOS. Systems based on Linux are not affected in these operations.

Once executed, the virus grants remote control over the infected system, stealing cookies and credentials from over 80 browser extensions. The targets include password managers like 1Password and NordPass, as well as cryptocurrency wallets such as MetaMask, Phantom, Bitski, and TronLink.

The malware allows hackers to maintain persistent remote access to the compromised system.

Researchers noted that it is unlikely the hackers utilized large language models for coding the virus.

The primary targets of these cybercriminals are professionals from India. Experts highlighted that this activity is part of a broader strategy by North Korea. The group not only pilfers funds from exchanges but also attempts to infiltrate cryptocurrency firms for intelligence gathering.

Dilip Kumar, the director of Digital South Trust, stated to [Decrypt](https://decrypt.co/326187/new-malware-crypto-job-scams-north-korea) that in response to such incidents, “India should implement mandatory cybersecurity audits for blockchain companies and monitor fake job search portals.”

“CERT-In should issue red alerts, while both the [MEITY](https://www.meity.gov.in/) and [NCIIPC](https://www.nciipc.gov.in/) must enhance global coordination in combating transnational cybercrime,” he added.

Kumar also called for the «strengthening of legal provisions» under the Information Technology Act and initiatives to enhance digital awareness.

In April, experts from Silent Push [reported](https://forklog.com/news/hakery-iz-kndr-sozdali-fiktivnye-firmy-dlya-obmana-polzovatelej) that a group named Contagious Interview, linked to [Lazarus](https://forklog.com/cryptorium/chto-izvestno-o-lazarus-group-podozrevaemoj-vo-vzlome-bybit), registered three shell companies to distribute malware. These firms are utilized to deceive users through fake interviews.