{ "id": "55e29798-bf90-4110-bc45-acf4cbef102d", "created_at": "2026-04-06T00:22:09.08415Z", "updated_at": "2026-04-10T13:11:30.4012Z", "deleted_at": null, "sha1_hash": "99b0919335ed83b75d201099aff69e6b41184a6a", "title": "Famous Chollima deploying Python version of GolangGhost RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1331633, "plain_text": "Famous Chollima deploying Python version of GolangGhost RAT\r\nBy Vanja Svajcer\r\nPublished: 2025-06-18 · Archived: 2026-04-05 22:49:58 UTC\r\nWednesday, June 18, 2025 06:00\r\nIn May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,”\r\nused exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the\r\npreviously documented GolangGhost RAT, sharing many of the same capabilities. \r\nIn recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has\r\nbeen using a Python-based version of their trojan to target Windows systems, while continuing to deploy a\r\nGolang-based version for MacOS users. Linux users are not targeted in these latest campaigns. \r\nThe attacks are targeting employees with experience in cryptocurrency and blockchain technologies. \r\nBased on open-source intelligence, only a small number of users, predominantly in India, are affected.\r\nCisco product telemetry does not indicate that there are any affected Cisco users. \r\nSince mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor,\r\nhas been very active through several well-documented campaigns. These campaigns include using variants of\r\nContagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages.\r\nIn the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers\r\nnecessary to conduct the final skill-testing stage.  \r\nToward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called\r\n“GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s\r\nClickFix campaigns. \r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 1 of 12\n\nIn May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of\r\nGolangGhost trojan, which we call “PylangGhost.” \r\nFake job interview sites mislead users to PylangGhost infection \r\nFamous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the\r\npurpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in\r\ntargeted victim companies.  \r\nThis blog focuses on the first method, where real software engineers, marketing employees, designers and other\r\nworkers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with\r\ntheir application. \r\nBased on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with\r\nprevious experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate\r\nreal companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with\r\nthe targeting.  \r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 2 of 12\n\nFigure 1. Examples of initial fake job sites.\r\nEach target is sent an invite code to visit a testing website where, depending on the position, they are instructed to\r\nenter their details and answer several questions to test their experience and skills. The sites are created using the\r\nReact framework and have very similar visual designs, no matter the type of position.  \r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 3 of 12\n\nFigure 2. Example of questions asked for an illegitimate Business Development Manager position at\r\nRobinhood.\r\nOnce the user answers all the questions and provides personal details, the site displays an invitation to record a\r\nvideo for the interviewer, recommending that the user request camera access by pressing a button. \r\nFigure 3. A camera setup page displayed once questions are answered.\r\nFinally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a\r\ncommand to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and\r\nMacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another\r\nerror message, without any instructions to download and install the payload.  \r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 4 of 12\n\nFigure 4. Windows instructions to copy, paste and execute a malicious command. \r\nFigure 5. MacOS instructions to copy, paste and execute a malicious command. \r\nInstructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in\r\nappropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.\r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 5 of 12\n\nFigure 6. Command Shell, PowerShell or Bash instructions to download a payload.\r\nPylangGhost - Python variant of GolangGhost \r\nAs the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the\r\nsimilarities between the two. The initial stage consists of a command line which the fake webpage tells the\r\nunsuspecting user to copy, paste and execute. \r\nThe command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the\r\nPylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python\r\nlibrary stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file\r\n“nvidia.py” as the Python program to run. \r\nFigure 7. The first stage simply unzips a Python distribution library and launches the RAT. \r\n PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided\r\nto create two variants using a different programming language, or which was created first. Based on the comments\r\nin the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for\r\nPython. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0,\r\nwhile the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos\r\ncannot definitively conclude that those two version numbers are comparable. \r\n The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch\r\nthe RAT every time user logs onto the system, generates a GUID for the system to be used in communication with\r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 6 of 12\n\ncommand and control (C2) server, connects to the C2 server and enters the command loop for communication\r\nwith the server.  \r\nFigure 8. ”nvidia.py” executes the main loop for communication with the C2 server\r\n The configuration file “config.py” specifies the commands that can be received from the server, which are\r\nidentical to the commands previously documented in the Golang version of the RAT. These commands enable\r\nremote control the infected system and the theft of cookies and credentials from over 80 browser extensions,\r\nincluding password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom,\r\nBitski, Initia, TronLink and MultiverseX. \r\nThe command handling module, “command.py”, defines function handlers and handles the commands received\r\nfrom the C2 server.  \r\nCommand  Functionality \r\nqwer \r\nCOMMAND_INFORMATION - collect information about the infected system, username, OS\r\nversion etc \r\nasdf  COMMAND_FILE_UPLOAD - file upload \r\nzxcv  COMMAND_FILE_DOWNLOAD - file download \r\nvbcx \r\nCOMMAND_OS_SHELL - launch an OS shell for remote access and control of the infected\r\nsystem \r\nghdj  COMMAND_WAIT - sleep for a number of seconds specified by the C2 server \r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 7 of 12\n\nr4ys  COMMAND_AUTO - browser information stealing command \r\n89io \r\nAUTO_CHROME_GATHER_COMMAND - subcommand of the browser information stealer\r\ncommand \r\ngi%# \r\nAUTO_CHROME_COOKIE_COMMAND - subcommand of the browser information stealer\r\ncommand \r\ndghh  COMMAND_EXIT \r\nTable 1. Commands and functionalities.\r\nThe module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as\r\nwell as collecting data from various browser extensions.  \r\n“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption\r\nto encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a\r\nHTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The\r\npacket begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity,\r\nfollowed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.  \r\nFinally, “util.py” handles the compression and decompression of files. \r\nComparison of Python and Golang modules \r\nTo assess the similarity between the two versions, Talos compares the names of the modules written in different\r\nlanguages as well as their functionality. The structure, the naming conventions and the function names are very\r\nsimilar, which indicates that the developers of the different versions either worked closely together or are the same\r\nperson.   \r\nModule  Python name  Golang name \r\nMain function module  nvidia.py  cloudfixer.go \r\nConfiguration module  config.py  config/constans.go \r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 8 of 12\n\nMain command loop  nvidia.py  core/loop.go \r\nCommand handlers  command.py  core/loop.go \r\nBrowser Stealer functionality  auto.py  auto/* modules \r\nFile compression  util.py  util/compress.go \r\nBase64 message encoding  command.py  command/stackcmd.go \r\nDuplicate process check  nvidia.py  instance/check.go \r\nCommunications protocol  api.py  transport/htxp.go \r\nTable 2. Comparison of Python and Golang RAT module names. \r\nCoverage  \r\nWays our customers can detect and block this threat are listed below.  \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.  \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.  \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 9 of 12\n\nthreat.  \r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.  \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.  \r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.  Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access.  \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.   \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.   \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.  \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.   \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.  \r\nClamAV detections available for this threat:\r\nWin.Backdoor.PyChollima-10045389-0\r\nWin.Backdoor.PyChollima-10045388-0\r\nWin.Backdoor.PyChollima-10045387-0\r\nWin.Backdoor.PyChollima-10045386-0\r\nWin.Backdoor.PyChollima-10045385-0\r\nWin.Backdoor.PyChollima-10045384-0\r\nIOCs \r\nThe IOCs can also be found in our GitHub repository here.\r\nSHA256 \r\na206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py\r\nc2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py\r\n0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py\r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 10 of 12\n\n8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py\r\n5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py\r\n267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py\r\n7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py\r\nb7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py\r\nfb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py\r\nd029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py\r\nb8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee - command.py\r\n1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee - config.py\r\ned170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e - config.py\r\n929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b - config.py\r\n127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 - config.py\r\n0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 - update.vbs\r\nc2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 - update.vbs\r\ne7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 - nvidiaRelease.zip\r\n28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df - vdriverWin.zip\r\nfc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d - nvidiaRelease.zip\r\nd3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd - nvidiaRelease.zip\r\nC2 servers \r\nhxxp[://]31[.]57[.]243[.]29:8080\r\nhxxp[://]154[.]58[.]204[.]15:8080\r\nhxxp[://]212[.]81[.]47[.]217:8080\r\nhxxp[://] 31[.]57[.]243[.]190:8080\r\nDownload host names \r\napi[.]quickcamfix[.]online\r\napi[.]auto-fixer[.]online\r\napi[.]quickdriverupdate[.]online\r\napi[.]camtuneup[.]online\r\napi[.]driversofthub[.]online\r\napi[.]drive-release[.]cloud\r\napi[.]vcamfixer[.]online\r\napi[.]nvidia-drive[.]cloud\r\napi[.]nvidia-release[.]us\r\napi[.]autodriverfix[.]online\r\napi[.]camdriversupport[.]com\r\napi[.]smartdriverfix[.]cloud\r\napi[.]drivercams[.]cloud\r\napi[.]camtechdrivers[.]com\r\napi[.]web-cam[.]cloud\r\napi[.]camera-drive[.]org\r\napi[.]nvidia-release[.]org\r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 11 of 12\n\napi[.]fixdiskpro[.]online\r\napi[.]autocamfixer[.]online\r\nFake job interview host names \r\nkrakenhire[.]com\r\nyuga[.]skillquestions[.]com\r\nuniswap[.]speakure[.]com\r\ndoodles[.]skillquestions[.]com\r\nwww[.]hireviavideo[.]com\r\nkraken[.]livehiringpro[.]com\r\nquiz-nest[.]com\r\nwww[.]smartvideohire[.]com\r\nwww[.]talent-hiringstep[.]com\r\nprovevidskillcheck[.]com\r\nskill[.]vidintermaster[.]com\r\ndigitaltalent[.]review\r\nrobinhood[.]ecareerscan[.]com\r\nevalswift[.]com\r\nlivetalentpro[.]com\r\nquantumnodespro[.]com\r\nevalassesso[.]com\r\nparallel[.]eskillora[.]com\r\ncoinbase[.]talentmonitoringtool[.]com\r\nuniswap[.]testforhire[.]com\r\ncoinbase[.]talenthiringtool[.]com\r\ncrosstheages[.]skillence360[.]com\r\nparallel [.] eskillprov [.] com\r\nassesstrack [.] com\r\ncoinbase [.] talentmonitoringtool [.] com\r\ntalent-hiringtalk[.]com\r\nuniswap[.]prehireiq[.]com\r\nfast-video-recording[.]com\r\nSource: https://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nhttps://blog.talosintelligence.com/python-version-of-golangghost-rat/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/python-version-of-golangghost-rat/" ], "report_names": [ "python-version-of-golangghost-rat" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434929, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99b0919335ed83b75d201099aff69e6b41184a6a.pdf", "text": "https://archive.orkl.eu/99b0919335ed83b75d201099aff69e6b41184a6a.txt", "img": "https://archive.orkl.eu/99b0919335ed83b75d201099aff69e6b41184a6a.jpg" } }