North Korean Hackers Pose as Coinbase Recruiters to Steal Crypto with ‘PylangGhost’ Trojan

North Korean cybercriminals have escalated their targeting of crypto professionals with a sophisticated new Python-based malware called PylangGhost.

They deploy elaborate fake job interview schemes that impersonate major companies, including Coinbase, Robinhood, and Uniswap, to steal credentials from over 80 browser extensions and crypto wallets.

Cisco Talos researchers discovered this latest campaign by the infamous “Famous Chollima” threat group.

The attacks primarily focus on crypto and blockchain professionals in India. They lure victims through fraudulent skill-testing websites that appear legitimate but ultimately trick users into executing malicious commands disguised as video driver installations for fake interview recordings.

The PylangGhost campaign represents the latest escalation in North Korea’s systematic targeting of the cryptocurrency industry, which has generated over $1.3 billion in stolen funds across 47 separate incidents in 2024 alone, according to Chainalysis data.

The PylangGhost operation is built on sophisticated social engineering tactics, beginning with carefully crafted fake recruiter outreach that targets specific expertise in cryptocurrency and blockchain technologies.

Victims receive invitations to skill-testing websites built using the React framework that closely mimic legitimate company assessment platforms.

These websites contain technical questions designed to validate the target’s professional background and create an authentic interview experience.

The psychological manipulation reaches its peak when candidates complete assessments and are invited to record video interviews. The site requests camera access through a seemingly innocuous button click.

Once camera access is requested, the site displays platform-specific instructions for downloading alleged video drivers. Different command shells are provided based on browser fingerprinting, including PowerShell or Command Shell for Windows users and Bash for macOS systems.

The malicious command downloads a ZIP file containing the PylangGhost modules and a Visual Basic Script that unzips a Python library. It then launches the Trojan through a renamed Python interpreter, using “nvidia.py” as the execution file.

The malware’s capabilities extend far beyond simple credential theft. It establishes persistent access through registry modifications that ensure the RAT launches every time the user logs into the system.

PylangGhost generates unique system GUIDs for communication with command-and-control servers while implementing sophisticated data exfiltration capabilities targeting over 80 browser extensions, including critical cryptocurrency wallets such as Metamask, Phantom, Bitski, TronLink, and MultiverseX.

The Trojan’s modular design enables remote file upload and download, OS shell access, and comprehensive browser data harvesting, including stored credentials, session cookies, and extension data from password managers like 1Password and NordPass.

The PylangGhost discovery is just the visible portion of a massive, coordinated North Korean cyber campaign that has fundamentally threatened crypto businesses and professionals worldwide.

Intelligence agencies from Japan, South Korea, and the United States have documented how North Korean-backed groups, primarily the notorious Lazarus collective, orchestrated sophisticated operations that resulted in the theft of at least $659 million through cryptocurrency heists in 2024 alone.

North Korean cyber spies reportedly set up fake US firms to deploy malware targeting crypto developers, violating Treasury sanctions.#NorthKorea #CyberSecurity https://t.co/TvCmrspaep

Recent enforcement actions have revealed the true scope of North Korean cyber operations. The FBI has seized BlockNovas LLC’s domain, which was used to establish legitimate-appearing corporate entities and conduct long-term deception campaigns.

The recent $50 million Radiant Capital hack also demonstrated the effectiveness of these tactics when North Korean operatives successfully posed as former contractors and distributed malware-laden PDFs to engineers.

A North Korean hacker impersonated as a job seeker for an engineering role at Kraken, who attempted to infiltrate the ranks of the exchange.#Kraken #CryptoHacker #NorthKoreanHackerhttps://t.co/IorY67EV3L

In contrast, while these tactics remain effective, Kraken’s recent disclosure of successfully identifying and thwarting a North Korean job applicant shows that major exchanges are now implementing enhanced screening procedures to detect infiltration attempts.

Similarly, BitMEX recently conducted a counterintelligence operation that exposed significant operational weaknesses within the Lazarus Group. This included exposed IP addresses and accessible databases that revealed the group’s fragmented structure with varying technical capabilities across different cells.

The international response has intensified dramatically, with South Korea and the European Union formalizing cybersecurity cooperation agreements specifically targeting North Korean cryptocurrency operations.

At the same time, U.S. authorities have expanded forfeiture actions to recover over $7.7 million in crypto assets earned through networks of covert IT workers.

Japan is preparing to urge G7 nations to launch a coordinated response against North Korea’s growing involvement in cryptocurrency theft.#Japan #NorthKoreahttps://t.co/0WG78wEsx4

The mounting threat has prompted discussions at the highest levels of international diplomacy, with G7 leaders expected to address North Korea’s escalating cyberattacks at upcoming summits as member states seek coordinated strategies to protect global financial infrastructure.

The post North Korean Hackers Pose as Coinbase Recruiters to Steal Crypto with ‘PylangGhost’ Trojan appeared first on Cryptonews.