Hackers from North Korea have created a new virus for cyberattacks on cryptocurrency and blockchain developers

The North Korean hacker group Famous Chollima has stepped up cyberattacks against cryptocurrency and blockchain specialists using the new PylangGhost trojan. According to Cisco Talos analysts, the attackers are creating fake websites that mimic well-known crypto exchanges and platforms, including Coinbase, Robinhood, and Uniswap, to gain access to victims' personal data and accounts under the guise of potential employers.

The scheme of the attack is that applicants are offered an online interview, during which they need to visit a fake website and perform a number of actions, including running a command to allegedly install a driver for a video interview. At this point, an archive with PylangGhost Python Trojan components is downloaded to the computer, including the nvidia. py program, which is responsible for connecting to control servers and automatically launching malware.

The new trojan has similarities to the previous development of this group — GolangGhost, but is designed to remotely control the infected system and collect data. In particular, PylangGhost is capable of stealing files, passwords, cookies and information from more than 80 browser extensions, including Metamask, 1Password, NordPass, Phantom, TronLink and MultiverseX. The main targets are reportedly Windows and MacOS users, although there are risks for other systems as well.

The trojan’s structure includes six main files: startup, command processing, data theft, communication with the server via RC4 encryption, and compression and decompression of information. The expert report emphasizes that this is not just a phishing attack, but a multi-level campaign aimed at long-term control over the devices of industry professionals.

It is known that Famous Chollima is not the first to use such tactics — the group has previously introduced fake employees into companies in Europe and was involved in a large-scale theft of more than $ 1.4 billion from Bybit in April 2025. Experts emphasize that such attacks combine elements of espionage, economic sabotage, and cybercrime.