David Edwards
A North Korea-aligned cyber espionage group has launched a new wave of targeted attacks on cryptocurrency professionals, deploying malware designed to harvest sensitive credentials from digital wallets and password managers. The campaign has been attributed to “Famous Chollima,” also known as “Wagemole,” a threat actor previously linked to North Korea, according to a report from Cisco Talos released Wednesday.
The attack leverages a Python-based remote access trojan (RAT) named PylangGhost, which researchers have identified as a variant of the earlier GolangGhost RAT. The malware grants attackers full remote control over infected systems, enabling them to steal cookies, browser credentials, and sensitive data from over 80 browser extensions. Targets include crypto wallet applications such as MetaMask, Phantom, TronLink, and MultiverseX, as well as password managers like 1Password and NordPass.
The campaign appears to primarily focus on India-based professionals with experience in blockchain and cryptocurrency. Victims are recruited through fake job postings on counterfeit websites impersonating companies like Coinbase, Robinhood, and Uniswap. Once initial contact is established, the attackers pose as recruiters and direct victims to phony skill-testing platforms.
During staged interviews, victims are tricked into enabling camera access and executing terminal commands under the guise of updating video drivers—steps that unknowingly install the malicious payload. The malware’s capabilities go beyond data theft, including file management, screenshot capture, system reconnaissance, and persistent remote access.
Cisco Talos researchers noted that, despite the malware’s complexity, there is no evidence that large language models or AI tools were involved in writing its code.
This form of social engineering—exploiting professional aspirations within the crypto industry—has become a hallmark of North Korea-linked cyber operations. In April, the same tactic was used to target developers connected to the $1.4 billion Bybit hack through malware-infected recruitment tests.
