North Korean-affiliated hacker group Famous Chollima has launched a cyberattack campaign targeting crypto industry professionals through fraudulent job interviews. They use fake job portals impersonating legitimate crypto companies such as Coinbase, Uniswap, and Robinhood to lure victims, primarily in India.
The attackers deploy a new Python-based remote access trojan (RAT) called "PylangGhost," which steals credentials and session cookies from over 80 browser extensions, including popular crypto wallets and password managers like MetaMask, 1Password, NordPass, Phantom, and others. The malware grants persistent remote control access to infected Windows devices.
Victims are tricked into running malicious commands disguised as video driver installations during staged video interviews, enabling the malware's deployment. This approach follows a broader North Korean pattern of crypto-targeted cybercrime, including the Lazarus Group, responsible for significant crypto thefts in recent years.
The operation aims to steal funds and gather intelligence, potentially infiltrating crypto companies. Earlier campaigns under this strategy have targeted crypto developers on platforms like GitHub, Upwork, and CryptoJobsList. Authorities have seized some associated domains, but the threat persists.
Experts recommend increased cybersecurity audits for blockchain firms, government red alerts, stronger legal frameworks, and digital awareness campaigns to combat these sophisticated scams.