North Korea Targets Crypto Professionals With New Malware in Hiring Scams

The North Korean hackers lure the crypto professionals into complex false interviews for the job intended for theft of their data and arranging a sophisticated malicious software on their devices.

The new Trojan remote approach based in Python called “Pylangghost”, connects the malicious software with the northern Korean -hacked collective called “Famous Cholles”, also known as “Diaper“Cisco Talos Intelligence Research Company reported on Wednesday.

“Based on the advertised positions, it is clear that the famous Chollima is widely targeting individuals with previous experience in cryptocurrency currency and blockchain technologies,” the company wrote.

The campaign primarily targets the professional cryptocurrency and blockchain in India, using false workpages representing legitimate companies, including Coinbase, Robinhood and Uniswap.

The scheme begins with false recruits that direct the job seekers to the website to test skills where the victims enter personal information and answer technical questions.

After the assessment is completed, the candidates are instructed to allow access to a video interview camera, and then ask them to copy and execute malicious commands disguised as video drivers installations.

Dileep Kumar HV, Director Digital South Trust, said Decipher In order to counteract these frauds, “India must prescribe cyber security audits for blockchain companies and control fake job portals.”

Vital need for consciousness

“Cert-in should issue red warnings, while Meity and NCIIPC must strengthen global coordination on cross-border cyber criminal,” he said, referring to “stronger legal provisions” according to IT Law and “digital consciousness campaigns.”

The newly discovered malicious PylangGhost software can steal credentials and session cookies from over 80 browser extensions, including popular password managers and crypto wallets such as Metamask, 1password, Nordpass and Phantom.

Trojan establishes a permanent approach to infected systems and executes distant commands from the server of the command and control.

This latest surgery is aligned with North Korea A wider form of Cyber-Crypto-focused cryptwhich includes the infamous Lazarus group, responsible for some of the largest plca in the industry.

In addition to the theft of funds directly from the exchange, the regime is now aiming for individual professionals to collect intelligence and potentially infiltrate the crypto companies.

The group conducted attacks based on employment of at least 2023 through campaigns such as “Infectious Interview” and “Deceptive Venatives”, which targeting cryptocurrencies on platforms, including Github, UPWORK and Cryptojobslist.

Mounting suitcases

Earlier this year, the North Korean hackers founded false American companies – Blocknovas LLC and S Before the FBI seized the domain blocknovas.

The malicious PylangGhost software is functionally equivalent to pre -documented Golanghost rats, shares many of the same possibilities.

A variant based on Python is especially aiming Windows Systems, while the Golang version is still targeting MacOS users. Linux systems are especially excluded from these latest campaigns.

The attackers maintain dozens of false jobs for work and take over servers, with domains intended for legitimate, such as “Quickcamfix.online” and “Autriverfix Online”, the report said.

Joint statement Japan, South Korea and the US confirmed that groups supporting Northern Korea, including Lazarus, stole at least $ 659 million through multiple robbery of the 2024 crypt.

In December 2024, an airline capital began in the amount of $ 50 million when North Korean operatives posed as former performers And they sent PDFs filled with malicious software engineers.

Similarly, Crypto Exchange Kraken revealed in May that he successfully identified and prevented the North Korean operative who applied for That positionApplication of the applicant when they failed to do basic identity tests during the interview.

Edited Sebastian Sinclair