{"id":32866,"date":"2025-06-20T14:01:31","date_gmt":"2025-06-20T14:01:31","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=32866"},"modified":"2025-06-20T14:01:31","modified_gmt":"2025-06-20T14:01:31","slug":"crypto-jobs-in-danger-north-korean-hackers-strike-again-with-new-malware","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=32866","title":{"rendered":"Crypto Jobs in Danger: North Korean Hackers Strike Again With New Malware"},"content":{"rendered":"<div>\n<p>According to <a href=\"https:\/\/blog.talosintelligence.com\/python-version-of-golangghost-rat\/\" target=\"_blank\" rel=\"noopener nofollow\">Cisco Talos<\/a>, a North Korean\u2011aligned group has quietly stepped up efforts to target crypto job hunters in India with a new Python\u2011based remote access trojan.<\/p>\n<p>The campaign uses <a href=\"https:\/\/therecord.media\/north-korea-india-crypto-applicants\" target=\"_blank\" rel=\"noopener nofollow\">fake job sites<\/a> and staged interviews to trick candidates into running malicious code. Victims end up handing over keys to their wallets and password managers.<\/p>\n<h2><strong>Bogus Job Platforms<\/strong><\/h2>\n<p>Job seekers are lured by postings that mimic big names like Coinbase, Robinhood and Uniswap. Recruiters reach out through LinkedIn or email. They invite candidates to a \u201cskill\u2011testing\u201d site. It feels harmless at first. Behind the scenes, the site is collecting system details and browser info.<\/p>\n<p><img data-recalc-dims=\"1\" fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter size-full wp-image-508883\" src=\"https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0d4cab.png?resize=891%2C410\" alt=\"\" width=\"891\" height=\"410\" srcset=\"https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0d4cab.png?w=891 891w, https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0d4cab.png?w=640 640w, https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0d4cab.png?w=768 768w, https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0d4cab.png?w=750 750w\" sizes=\"(max-width: 891px) 100vw, 891px\"><\/p>\n<h2><strong>Deceptive Interview Process<\/strong><\/h2>\n<p>After the test, candidates join a live video interview. They\u2019re told to update their camera drivers. In a quick move, they copy and paste commands into a terminal window. One click and PylangGhost is installed. The whole scheme runs smoothly\u2014until the <a href=\"https:\/\/www.cisco.com\/site\/us\/en\/learn\/topics\/security\/what-is-malware.html#:~:text=Malware%2C%20short%20for%20malicious%20software,spyware%2C%20adware%2C%20and%20ransomware.\" target=\"_blank\" rel=\"noopener nofollow\">malware<\/a> takes over.<\/p>\n<p><img loading=\"lazy\" data-recalc-dims=\"1\" decoding=\"async\" class=\"aligncenter size-full wp-image-508885\" src=\"https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0aaa99.png?resize=860%2C280\" alt=\"\" width=\"860\" height=\"280\" srcset=\"https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0aaa99.png?w=860 860w, https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0aaa99.png?w=640 640w, https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0aaa99.png?w=768 768w, https:\/\/bitcoinist.com\/wp-content\/uploads\/2025\/06\/A_0aaa99.png?w=750 750w\" sizes=\"auto, (max-width: 860px) 100vw, 860px\"><\/p>\n<p><strong>Advanced RAT Tool<\/strong><\/p>\n<p><a href=\"https:\/\/otx.alienvault.com\/pulse\/6852f50f8e7fb42e2328c1c5\" target=\"_blank\" rel=\"noopener nofollow\">PylangGhost<\/a> is a spin on the earlier GolangGhost tool. Once active, it grabs cookies and passwords from more than 80 browser extensions. This list includes MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.<\/p>\n<p>The trojan then opens a back door for remote control. It can take screenshots, manage files, steal browser data and keep a hidden presence on the system.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full\" src=\"https:\/\/www.tradingview.com\/x\/emmElbaq\/\" width=\"1835\" height=\"884\"><br \/>\n<strong>History Of Similar Attacks<\/strong><\/p>\n<p>North Korean hackers used a fake recruitment test in April before the $1.4\u202fbillion Bybit heist. And they\u2019ve tried similar tricks with infected PDFs and malicious links.<\/p>\n<p>This group\u2014known as Famous Chollima or Wagemole\u2014has stolen millions through <a href=\"https:\/\/coinmarketcap.com\/\" rel=\"nofollow noopener\" target=\"_blank\">crypto<\/a> wallet breaches since 2019. Their goal is simple: get valid credentials and then quietly move funds.<\/p>\n<p><strong>Industry Response Measures<\/strong><\/p>\n<p>Security teams are on alert. They recommend checking every URL for spelling mistakes and odd domains. Experts say to verify job offers through trusted channels.<\/p>\n<p>Endpoint detection tools should flag any script that calls remote servers. And multi\u2011factor authentication can block stolen passwords from giving full access.<\/p>\n<p>This alert shows how far state\u2011linked actors will go to steal crypto assets. The mix of social engineering and custom malware is a potent risk. Anyone hunting for work in blockchain should double\u2011check every link and never run unverified code.<\/p>\n<p>Keeping hardware wallets offline and using separate profiles for job hunting can cut down on exposure. Vigilance in the hiring process and solid technical controls remain the best defense against these evolving threats.<\/p>\n<p><em>Featured image from Shutterstock, chart from TradingView<\/em><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>According to Cisco Talos, a North Korean\u2011aligned group has quietly stepped up efforts to target crypto job hunters in India with a new Python\u2011based remote access trojan. The campaign uses fake job sites and staged interviews to trick candidates into running malicious code. Victims end up handing over keys to their wallets and password managers. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-32866","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/32866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32866"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/32866\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}