Full Report
2025-06-18 • Cisco Talos • Vanja Svajcer • py.pylangghost Open article on Malpedia
Analysis Summary
# Threat Actor: Famous Chollima
## Attribution & Identity
The threat actor is identified as **Famous Chollima**. The activity described is reported by Cisco Talos.
## Activity Summary
The primary activity summarized is the deployment of a **Python version of the GolangGhost RAT**. No specific historical campaigns or dates outside of the report's context are detailed in the provided summary text.
## Tactics, Techniques & Procedures
- Deployment of a malware variant written in Python.
- Use of the **GolangGhost RAT** framework (specifically a Python implementation).
- *Note: Specific MITRE ATT&CK IDs are not available in the provided context.*
## Targeting
- Sectors: Not explicitly detailed in the provided summary text.
- Geography: Not explicitly detailed in the provided summary text.
- Victims: Not explicitly detailed in the provided summary text.
## Tools & Infrastructure
- Malware families used: **GolangGhost RAT (Python implementation)**, potentially tracked as `py.pylangghost`.
- Infrastructure (C2, domains, IPs): Not detailed in the snippet.
## Implications
The use of a Python version of an existing Golang-based RAT suggests the actor is adapting their toolset for broader compatibility or to bypass existing detection methods tuned for the original Golang binary. This indicates continued operational maturity.
## Mitigations
- Implement detection mechanisms capable of identifying Python-based RAT communication patterns.
- Perform analysis on suspected file executions involving the GolangGhost RAT family, regardless of compilation/scripting language.