North Korean Hackers Target Crypto Workers With Malware Hidden in Fake Job Applications

A DPRK-linked group is using fake job sites and Python-based malware to target blockchain professionals for credential theft.

Crypto professionals are once again in the crosshairs of North Korean hackers. This time, attackers are hiding malware in fake job application processes to steal wallet credentials and gain remote access to victims’ systems.

Researchers at Cisco Talos uncovered the campaign this week, identifying the new malware as PylangGhost, a Python-based remote access trojan (RAT). This RAT is a variant of GolangGhost, which was previously used by the same hacking group.

Malware Delivered Through Fake Job Sites

The attackers impersonate top crypto firms like Coinbase, Robinhood, and Uniswap. They direct victims to fake career websites and lure them into staged “skill tests.”

After completing the test, targets are asked to paste a command into their terminal. This step downloads a ZIP file containing the malware disguised as a video driver update.

The payload includes:

• A renamed Python interpreter (nvidia.py)
• A Visual Basic script to unpack the archive
• Modules for remote control, data theft, and persistence

What Does the Malware Do?

Once installed, PylangGhost can:

• Steal login credentials, session cookies, and wallet data.
• Access over 80 browser extensions, including MetaMask, Phantom, TronLink, and 1Password.
• Enable remote control via HTTP traffic encrypted with outdated RC4 encryption.

The malware also performs:

• File transfers.
• System fingerprinting.
• Shell command execution.
• Browser data extraction.

Unlike earlier versions, this variant was written in Python to target Windows systems. Mac users are still vulnerable to the Golang version. Linux remains largely unaffected.

Who Is Behind the Attack?

The campaign is linked to Famous Chollima, a known DPRK-aligned group active since mid-2024. Most of the recent victims appear to be based in India and have blockchain work experience.

Their tactic is simple but effective: impersonate well-known crypto companies and trick candidates into running malicious commands.

What Has Happened So Far

• Mid-2024: DPRK-affiliated group Famous Chollima emerges using GolangGhost malware
• April 2025: North Korean hackers linked to a $1.4B Bybit exploit used fake job tests to spread malware
• June 2025: Cisco Talos reports a new attack using a rewritten Python version named PylangGhost, targeting Windows users
• Over 80 browser extensions confirmed vulnerable to data extraction, including major wallet tools like MetaMask and 1Password