A series of cyber attacks has emerged, aimed at professionals in the cryptocurrency and blockchain industries through fraudulent recruitment scams, according to new research from Cisco Talos. These attacks are attributed to a North Korea-aligned group known as Famous Chollima, which has been duping victims into installing malware disguised as video drivers.
The group, which has been active since at least mid-2024, is known for employing tactics like fake developer job postings and fraudulent interview processes. Recent developments indicate an evolution in their methods, introducing a new Python-based malware called PylangGhost, which is a variant of the previously identified GolangGhost trojan.
Victims are approached by impostors masquerading as recruiters offering positions at what appear to be legitimate companies in the crypto sector. Typically targeting software developers, marketers, and designers with experience in cryptocurrency, prospective candidates find themselves directed to a fraudulent skill-assessment page that mimics the look and feel of real company sites, including well-known names such as Coinbase, Robinhood, and Uniswap.
Following the completion of a ‘test’, applicants are instructed to record a video introduction for supposed hiring teams, necessitating the installation of so-called “video drivers” via the execution of commands in their terminal. This process results in the download of the malware, which, if executed on Windows or MacOS systems, pulls in a malicious ZIP file containing the PylangGhost trojan and auxiliary scripts. The malware then runs in the background, enabling remote access for the attackers.
Once activated, PylangGhost behaves similarly to its predecessor, collecting system information and maintaining a connection with a command and control server. It has the ability to harvest credentials and collect browser data, including passwords and crypto wallet keys. Notably, it specifically targets over 80 popular browser extensions, including password managers and digital wallets like MetaMask and 1Password.
Talos warns that while the malware employs RC4 encryption for communication, sending the encryption key alongside the data undermines its security. The ultimate goal behind these operations is twofold: acquiring sensitive personal information from genuine job seekers and positioning fake employees within real companies, potentially leading to long-term infiltration for access to critical financial data and software systems.
Currently, only a limited number of victims have been identified, primarily in India, with Linux users being unaffected by this campaign. So far, no Cisco customers appear to have been compromised.
To mitigate risks, job seekers in the tech and crypto sectors are urged to exercise caution when responding to listings that require the installation of software or execution of terminal commands as part of the application process. Reputable companies do not demand such actions. Cybersecurity teams are encouraged to review their employee onboarding procedures and educate staff about social engineering attacks. Additionally, monitoring for unusual outbound connections or unexpected ZIP file downloads may help in detecting early signs of compromise.