North Korea’s notorious cyber unit Famous Chollima (a.k.a. Wagemole) is at it again; they are taking advantage of the rise in job opportunities in the blockchain and cryptocurrency spaces, especially in India, by running another round of deceptive recruitment scams against professionals. In short, after publishing fake job postings, increasingly elaborate skill assessments, and fake video interviews, they are installing a powerful remote access trojan (RAT) whereas PylangGhost runs on Python. The goal here: access personal data, browser credentials, crypto wallets and ultimately to compromise legitimate crypto companies.
Luring with Fake Crypto Job Postings
Using professional-looking fake websites that are too good to be true – examples include Coinbase, Robinhood, Uniswap, and Archblock – to luring applicants into completing a “skill assessment.” Recruiters contact victims using professional platforms (LinkedIn) or well-crafted emails. Baiting platforms collect personal and technical details under the false pretenses of normal recruitment.
The Deceptive Video Interview Ruse
After a candidate passes the initial screening, they are invited to the next interviewing phase, which is a video interview. In these interviews applicants are asked to give permissibility to use the camera and microphone, then asked to undertake an act that looks like executing a driver-installation command. What the candidates actually execute is a PylangGhost RAT download that is disguised as “video driver updates.”
What PylangGhost Does
Once deployed on Windows systems, PylangGhost grants persistent remote access, fingerprinting the device and establishing connections to command-and-control (C2) servers. Critically, it extracts credentials and session cookies from over 80 browser extensions—especially crypto wallets (MetaMask, Phantom, TronLink) and password managers (1Password, NordPass). It can also take screenshots, extract browser data, manage files, and run arbitrary remote commands.
A New Variant of an Older Threat
This Python-based Trojan is a direct counterpart to the earlier GolangGhost, which was developed for macOS systems. Research indicates it shares nearly identical structure and naming, pointing to the same developer group behind both RATs. Windows is now the primary target, while Linux systems remain untouched.
Not the First Time—and Not the Last
Famous Chollima has been implicated in multiple prior recruitment-based campaigns, including “Contagious Interview” and “DeceptiveDevelopment” scams targeting developers on platforms like GitHub, Upwork, and CryptoJobsList since at least 2023. They also ran fake U.S.-based companies—BlockNovas LLC and SoftGlide LLC—to distribute malware via sham interviews before the FBI took down the BlockNovas domain.
Wider North Korean Crypto Cybercrime Context
These efforts sit within a broader strategy by DPRK cyber operatives, including the notorious Lazarus Group, to raise funds and gain insider access. A 2024 joint statement from Japan, South Korea, and the U.S. confirmed that North Korean-linked teams stole at least $659 million in crypto assets last year. Notable cases include the $50 million Radiant Capital breach in December 2024—triggered via malicious PDF sent to engineers—and a thwarted infiltration attempt at Kraken, foiled when the applicant failed identity checks.
The Indian Connection and Calls for Defenses
Open-source analysis indicates victims are largely based in India. Dileep Kumar H V, director at Digital South Trust, warned that India should enforce cybersecurity audits for blockchain firms and flag fake recruitment sites. He also urged CERT-In, MEITY, and NCIIPC to issue red alerts and improve cross-border collaboration.
Protecting Against RAT Scams
Security experts recommend several practical steps for safe job hunting in the crypto world:
- Never run unsolicited download commands during interviews.
- Verify all job portals via official company channels.
- Use dedicated devices for job applications, separated from personal crypto wallets.
- Deploy endpoint protection and monitor unusual outbound connections or ZIP downloads.
- Enable multi-factor authentication, and maintain strict browser extension hygiene.
Conclusion
The PylangGhost campaign highlights how cybercriminals blend social engineering with custom malware to exploit crypto talent. As North Korean hack groups extend their reach from exchange heists to inside-the-company infiltration, crypto professionals must adopt a cautious posture. Verifying job legitimacy, isolating crypto assets, and building digital security competencies are no longer optional—they are essential protections in an era of sophisticated cyber threats.
