{ "name": "Famous Chollima deploying Python version of GolangGhost RAT", "slug": "famous-chollima-deploying-python-version-of-golangghost-rat", "description": "In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) called 'PylangGhost', used by a North Korean-aligned threat actor. PylangGhost shares similarities with the previously documented GolangGhost RAT. The threat actor, Famous Chollima, has been targeting employees with experience in cryptocurrency and blockchain technologies through fake job interview sites. The attacks primarily affect users in India. The malware is deployed through a two-stage process involving fake skill-testing pages and malicious command execution. PylangGhost consists of six Python modules and offers functionalities similar to its Golang counterpart, including system information collection, file manipulation, and browser data theft from over 80 extensions.", "published": "2025-06-18T15:19:11+00:00", "created_at": "2025-06-18T15:19:11+00:00", "modified_at": "2025-06-23T17:47:34+00:00", "created_at_opencti": "2025-06-18T15:19:11+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-06-18", "blockchain", "browser data theft", "cryptocurrency", "golangghost", "pylangghost", "rat" ], "related_entities": { "observables": [ { "id": "", "name": "www.hireviavideo.com" }, { "id": "", "name": "www.smartvideohire.com" }, { "id": "", "name": "www.talent-hiringstep.com" }, { "id": "", "name": "yuga.skillquestions.com" }, { "id": "", "name": "uniswap.testforhire.com" }, { "id": "", "name": "uniswap.speakure.com" }, { "id": "", "name": "uniswap.prehireiq.com" }, { "id": "", "name": "skill.vidintermaster.com" }, { "id": "", "name": "robinhood.ecareerscan.com" }, { "id": "", "name": "parallel.eskillprov.com" }, { "id": "", "name": "parallel.eskillora.com" }, { "id": "", "name": "kraken.livehiringpro.com" }, { "id": "", "name": "doodles.skillquestions.com" }, { "id": "", "name": "crosstheages.skillence360.com" }, { "id": "", "name": "coinbase.talentmonitoringtool.com" }, { "id": "", "name": "coinbase.talenthiringtool.com" }, { "id": "", "name": "api.vcamfixer.online" }, { "id": "", "name": "api.quickcamfix.online" }, { "id": "", "name": "api.quickdriverupdate.online" }, { "id": "", "name": "api.fixdiskpro.online" }, { "id": "", "name": "api.driversofthub.online" }, { "id": "", "name": "api.camtuneup.online" }, { "id": "", "name": "api.autodriverfix.online" }, { "id": "", "name": "api.autocamfixer.online" }, { "id": "", "name": "api.auto-fixer.online" }, { "id": "", "name": "quiz-nest.com" }, { "id": "", "name": "talent-hiringtalk.com" }, { "id": "", "name": "quantumnodespro.com" }, { "id": "", "name": "provevidskillcheck.com" }, { "id": "", "name": "livetalentpro.com" }, { "id": "", "name": "krakenhire.com" }, { "id": "", "name": "fast-video-recording.com" }, { "id": "", "name": "digitaltalent.review" }, { "id": "", "name": "assesstrack.com" }, { "id": "", "name": "api.web-cam.cloud" }, { "id": "", "name": "api.smartdriverfix.cloud" }, { "id": "", "name": "api.nvidia-release.us" }, { "id": "", "name": "api.nvidia-release.org" }, { "id": "", "name": "api.nvidia-drive.cloud" }, { "id": "", "name": "api.drivercams.cloud" }, { "id": "", "name": "api.drive-release.cloud" }, { "id": "", "name": "api.camtechdrivers.com" }, { "id": "", "name": "api.camera-drive.org" }, { "id": "", "name": "api.camdriversupport.com" }, { "id": "", "name": "evalswift.com" }, { "id": "", "name": "evalassesso.com" }, { "id": "", "name": "fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d" }, { "id": "", "name": "fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225" }, { "id": "", "name": "e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4" }, { "id": "", "name": "ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e" }, { "id": "", "name": "d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd" }, { "id": "", "name": "d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd" }, { "id": "", "name": "c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6" }, { "id": "", "name": "c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b" }, { "id": "", "name": "b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee" }, { "id": "", "name": "b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5" }, { "id": "", "name": "a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a" }, { "id": "", "name": "929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b" }, { "id": "", "name": "8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a" }, { "id": "", "name": "7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32" }, { "id": "", "name": "5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e" }, { "id": "", "name": "28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df" }, { "id": "", "name": "267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3" }, { "id": "", "name": "1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee" }, { "id": "", "name": "127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780" }, { "id": "", "name": "0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385" }, { "id": "", "name": "0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec" } ], "intrusion_sets": [ { "id": "d4b48d95-5b76-4c51-bd31-8448a710b185", "name": "Famous Chollima", "slug": "famous-chollima" } ], "attack_patterns": [ { "id": "e684b1cc-3ebf-4679-bd3c-c5e540a60a5d", "name": "T1056.004" }, { "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b", "name": "T1059.006" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ] }, "external_refs": [ "https://blog.talosintelligence.com/python-version-of-golangghost-rat/", "https://otx.alienvault.com/pulse/6852f50f8e7fb42e2328c1c5" ] }