North Korean Hackers Spread PylangGhost via Fake Jobs

North Korean Hackers Spread PylangGhost via Fake Jobs

In Summary

  • Fake interviews from Coinbase and Robinhood used to lure victims.
  • Malware disguised as a “video driver” steals crypto wallet data.
  • PylangGhost targets over 80 browser extensions and password apps.
  • Crypto firms adopt stronger defenses as North Korea’s threats grow.


Catenaa, Wednesday, July 02, 2025– North Korean hackers have launched a new cyber campaign using a trojan called PylangGhost to target crypto professionals under the guise of job interviews with major tech companies.

Researchers at Cisco Talos identified the operation as the work of the “Famous Chollima” group, with attacks primarily affecting blockchain professionals in India.

Using fake recruiter profiles posing as representatives from Coinbase, Uniswap, and Robinhood, the hackers invite victims to participate in fake technical interviews.

Candidates are redirected to skill-testing sites built with React, imitating legitimate assessment platforms.

After completing tests, victims are prompted to record video interviews, which requires installing a fake “video driver” that actually delivers the PylangGhost malware.

Once installed, the trojan gains full system access and persistence through registry edits. It targets over 80 browser extensions, including crypto wallets such as MetaMask, Phantom, and TronLink. It also harvests credentials from password managers like 1Password and NordPass.

The malware features remote access tools, system command execution, and extensive data exfiltration capabilities. PylangGhost is the latest evidence of North Korea’s aggressive cyber strategy, which netted over $1.3 billion in crypto thefts in 2024 alone.

Global intelligence and enforcement agencies are increasingly alarmed. Recent crackdowns include US forfeiture actions, South Korea–EU cybersecurity agreements, and the seizure of domains like BlockNovas LLC. Meanwhile, companies like Kraken and BitMEX are adopting advanced countermeasures, signaling a shift in industry response to North Korea’s growing cyber threat.

Protected by Copyscape