north korean hacker tried to hack ios data

The North Korean-aligned Famous Chollima group has intensified its cyber operations by deploying a sophisticated new Python-based remote access trojan (RAT) targeting Windows and macOS users in the cryptocurrency and blockchain sectors. This malware campaign marks a significant evolution of their previously documented GolangGhost RAT, showcasing the group’s technical sophistication and adaptability in pursuing financial gain through elaborate social engineering schemes.

The attack primarily targets software engineers, marketing professionals, designers, and others experienced in cryptocurrency and blockchain technologies through a deceptive fake job recruitment process.

north korean hacker tried to hack ios datanorth korean hacker tried to hack ios data

The threat actors create convincing fake employer websites impersonating legitimate companies like Coinbase, Archblock, Robinhood, Parallel Studios, and Uniswap to lure unsuspecting victims.

Cisco Talos researchers identified this new variant, dubbed “PylangGhost,” in May 2025. They noted its functional similarity to the GolangGhost RAT while maintaining distinct capabilities across different operating systems. The group strategically deploys the Python-based version for Windows users while continuing to use the Golang-based version for macOS, with Linux systems currently excluded from targeting.

The infection process begins with victims receiving invite codes to access skill-testing websites built using the React framework. After completing questionnaires and providing personal details, victims are prompted to enable camera access for video recording. The malicious sites then instruct users to install fake video drivers, with tailored commands for their operating systems.

north korean hacker tryied to hack ios datanorth korean hacker tryied to hack ios data

Windows users receive PowerShell or Command Shell instructions, while macOS users get Bash commands. This process downloads a ZIP file containing PylangGhost modules and a Visual Basic Script that extracts the Python library and launches the trojan through a renamed Python interpreter executing “nvidia.py.”

This multi-stage approach disguises the malware deployment as legitimate software installation, exploiting users’ trust. The PylangGhost architecture consists of six structured Python modules, with the main execution starting through “nvidia.py,” which establishes system persistence and initiates command-and-control communications. The malware can steal credentials and session cookies from over 80 browser extensions, including popular cryptocurrency wallets like Metamask and 1Password, directly supporting the group’s financial objectives.