Famous Chollima deploying Python version of GolangGhost RAT
Essential information
- Published
- 18/06/2025 17:19
- Modified
- 23/06/2025 19:47
- Tags
- 2025-06-18 blockchain browser data theft cryptocurrency golangghost pylangghost rat
- Related entities
- 67 observables, 1 intrusion sets (apt), 18 techniques (mitre)
Description
In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) called 'PylangGhost', used by a North Korean-aligned threat actor. PylangGhost shares similarities with the previously documented GolangGhost RAT. The threat actor, Famous Chollima, has been targeting employees with experience in cryptocurrency and blockchain technologies through fake job interview sites. The attacks primarily affect users in India. The malware is deployed through a two-stage process involving fake skill-testing pages and malicious command execution. PylangGhost consists of six Python modules and offers functionalities similar to its Golang counterpart, including system information collection, file manipulation, and browser data theft from over 80 extensions.