Evolution journalist
Good people
Evolution journalist
Good people
Involve
The North Korean criminals have escalated Pyangghost.
They publish a dummy interview interview schemes that are immersed by the character of major companies, including Coinbase, Robinhood, and UISWAP, to steal credit data from more than 80 browser accessories and coding portfolios.
Cisco Talos researchers find out This is the last campaign by the famous “Chollima” threats group.
The attacks focus primarily on the encryption professionals and Blockchain in India. They attract victims through fraudulent skills test sites that seem legitimate, but in the end they deceive users in carrying out harmful orders as disguised orders as vehicles for the video operating program for fake interview records.
The Pyangghost campaign represents the latest escalation in the systematic targeting of North Korea for the cryptocurrency industry, which achieved more than $ 1.3 billion of stolen money across 47 separate accidents in 2024 alone, according to analysis data.
PylangGhost TOJAN: From Fake Connections to Full System Solution
The pyangghost process is designed on advanced social engineering tactics, from communicating with carefully made fake recruits that target specific experience in cryptocurrencies and blocks.
Victims receive invitations to the designed skills test sites using the RACT frame, which closely mimics the company’s legitimate evaluation platforms.
These sites contain technical questions designed to check the background of the professional goal and create an authentic interview experience.
Psychological manipulation reaches its peak when the candidates complete the assessments and are invited to record video interviews. The site requests access to the camera with an apparently harmful button.
Once you request access to the camera, the site offers instructions for the basic system to download alleged video drivers. Various command shells are provided based on the browser fingerprint, including PowerShell or Command Shell for Windows and Bash users for MacOS systems.
The harmful matter downloads a compact file containing PylangGhost units and a visual basic program that cancels the Python library. Trojan is then released through the rename Python translator, using “NVIDIA.PY” as the implementation file.
The abilities of harmful programs exceed the theft of simple accreditation data. It determines continuous access through registration adjustments that ensure the release of mice every time the user log in to the system.
Pylangghost creates a unique Guids system to communicate with driving and control servers with the implementation of advanced data nomination capabilities targeting more than 80 browser extension, including critical cryptocurrencies such as Metamask, Phantom, Bitski, Tonlink and Multiversex.
Trojan’s standard design allows remote file download and download, access to OS Shell, collect comprehensive browser data, including stored accreditation data, correlation definition files, and extension data from password managers such as 1Password and NordPass.
A global campaign that threatens the encryption industry
Discovery Pylangghost is just the visible part of a huge and coordinated electronic campaign from North Korea that mainly threatened encryption work and professionals around the world.
Intelligence agencies from Japan, South Korea and the United States have documented how groups supported by North Korea, primarily from the reputable massive mass operations that prevent them, which led to the theft of at least 659 million dollars by wasting the cryptocurrency in 2024 alone.
Recent enforcement procedures revealed the real range of North Korean electronic operations. The FBI seized the Blocknovas LLC field, which was used to create legitimate companies’ entities and make long -term deception campaigns.
The Capital Radiant Capital penetration, which is worth $ 50 million, showed the effectiveness of these tactics when he succeeded in working in North Korea as former contractors and the distribution of PDF loaded with malicious programs to engineers.
In contrast, although these tactics are still effective, the recent disclosure of Kraken about the identification and frustration of the applicant in North Korea shows that the main exchanges are now carried out reinforced examination procedures to detect infiltration attempts.
Likewise, Bitmex recently performed the retail process that exposed significant important weaknesses within the Lazarus group. This included exposed IP addresses and accessible databases, which revealed the structure of the segmented group with varying technical capabilities across different cells.
The international response has intensified significantly, as South Korea and the European Union have made the formal nature of cybersecurity cooperation agreements, which in particular target cryptocurrencies in North Korea.
Meanwhile, the US authorities have expanded the confiscation measures to recover more than $ 7.7 million of encryption assets acquired through networks of IT workers.
The escalating threat has sparked discussions at the highest levels of international diplomacy, as it is expected that the leaders of the Group of Seven will address the escalating electronic attacks in North Korea in the upcoming summits, as member states seek coordinated strategies to protect global financial infrastructure.
https://cimg.co/wp-content/uploads/2025/06/20090748/1750410467-image-1750410436793_optimized.jpg
2025-06-20 09:17:00
