North Korea Targets Crypto Professionals with New Malware
North Korean hackers, identified as part of the ‘Famous Chollima’ group, are targeting individuals in the cryptocurrency and blockchain sectors with sophisticated cyberattacks. According to Cisco Talos, these hackers use fake job interviews and fraudulent websites to distribute a Python-based remote access trojan called ‘PylangGhost’. This malware steals sensitive data, including credentials for cryptocurrency wallets and password managers.
How the Attack Works
The attackers impersonate legitimate companies like Coinbase, Robinhood, and Uniswap to create fake job sites. The attack unfolds in three stages:
- Fake recruiters initiate contact with potential victims.
- Victims receive invitations to skill-testing websites designed to harvest their information.
- Fake interviews trick victims into executing malicious commands disguised as video driver updates.
Malware Capabilities
PylangGhost, a variant of the GolangGhost RAT, performs several malicious activities:
- Steals credentials from over 80 browser extensions.
- Captures screenshots and manages files on infected devices.
- Maintains persistent remote access to compromised systems.
Previous Incidents
North Korean-linked hackers have used similar tactics before. In April, they targeted crypto developers with malware-infected recruitment tests during the $1.4 billion Bybit heist.
