NK Hackers Deploy PylangGhost via Fake Crypto Job Interviews

Published: 2025-06-20 09:50:32 |

A North Korea–linked group, Famous Chollima (Wagemole), has launched a sophisticated phishing campaign targeting crypto job seekers in India. Impersonating recruiters from Coinbase, Uniswap and Robinhood, they lure candidates into video interviews under the guise of technical assessments. During calls, victims execute commands purportedly to update video drivers, which instead install PylangGhost, a Python-based remote access trojan. Once deployed, the malware harvests system information, captures screenshots, and steals credentials from over 80 browser extensions—including MetaMask, Phantom, TronLink and MultiverseX—as well as from password managers. Cisco Talos researchers note PylangGhost mirrors earlier GolangGhost features but contains no AI-generated code. This campaign highlights rising phishing and remote-access threats in crypto, underscoring the need for tighter safeguards around wallet credentials.

Bearish

This phishing and RAT campaign by NK-linked hackers raises alarm over wallet security and user trust. In the short term, traders may withdraw assets or reduce activity to avoid exposure, causing sell pressure. Long term, heightened security concerns could depress trading volumes and slow adoption, weighing negatively on market sentiment for affected tokens.