North Korea hackers use Python -based malware to enter the leading crypto companies
A North Korean hacking group targets crypto workers with a Python-based malware identified as part of a fake employment application process, researchers at Cisco Talos said earlier This week.
Most of the victims appear to be based in India, according to open-source signals, and seem to be individuals with prior experience at blockchain and cryptocurrency startups.
While the Cisco report has no evidence of internal compromise, the wider risk remains clear: that these efforts are trying to get access to companies that can join these individuals.
Malware, called Pyhanghost, is a new variant of the former -documentary Golanghost Remote Access Access Trojan (RAT), and shares most of the same features – rewritten in Python to better Windows target systems.
Mac users are constantly affected by the Golang version, while Linux systems seem to be unaffected. The actor’s threat behind the campaign, known as the famous Chollima, has been active since mid -2024 and is believed to be a group aligned with the DPRK.
Their latest vector attack is simple: impersonate top crypto firms such as Coinbase, Robinhood, and Uniswap through highly shiny fake racing sites, and software engineers, markets, and designers in completing the “skill tests.”
When a target fills basic information and answers technical questions, they promptly install fake video drivers by pasting a command at their terminal, which quietly downloaded and launched a Python-based rat.
Payload is hidden in a zip file that includes the Python Interpreter name (nvidia.py), a visual basic script to unpack the archive, and six main modules responsible for persistence, system fingerprinting, file transfer, shell accessing, and theft of browser data.
The rat is taking credentials on logging, session cookies, and purse data from over 80 extensions, including metamask, phantom, tronlink, and 1password.
The command set allows the entire remote control of infected machines, including file uploads, downloads, system recon, and launching a shell-all is routed through RC4 encrypted packets.
RC4-encrypted packets are data sent to the Internet scrambled using a timely encryption method called RC4. Although the connection itself is unsafe (http), the data inside is on Sensopted, but not very good, as the RC4 is outdated and easily damaged by today’s standards.
Despite being a re -writing, the structure and grant of Golangit’s Pyhanghost Mirror conventions almost exactly, suggesting that the same is likely to be written by the same operator, Cisco said.
Read more: North Korean Hacker who targets crypto developers with US shell companies
