GolangGhost
GolangGhost is a Go-based backdoor/RAT associated with the DPRK-linked Contagious Interview / DeceptiveDevelopment activity cluster and related reporting on Famous Chollima, WaterPlum/PurpleBravo, and Lazarus-aligned operations. It is also referred to as FlexibleFerret and WeaselStore, with reporting describing FlexibleFerret as the broader malware family and GolangGhost as its Go variant; the Python counterpart is commonly called PylangGhost. Public reporting ties it to fake job interview and recruitment lures targeting software developers, especially in cryptocurrency, blockchain, Web3, finance, technology, and AI-related organizations, often via malicious GitHub/GitLab/Bitbucket repositories, fraudulent coding assessments, fake interview websites, npm packages, ClickFix-style instructions, and abused Visual Studio Code workflows.
Across the cited reporting, GolangGhost/FlexibleFerret is described as a modular backdoor and infostealer with encrypted HTTP(S), TCP, or HTTP POST-based command and control, depending on the variant/report. Documented capabilities include remote command execution, plugin loading, file upload and download, continued C2 communication as a RAT, system discovery, and theft of browser data and cryptocurrency wallet data. Multiple sources specifically state it steals Chrome/Chromium credentials, cookies, browser extension data, and wallet artifacts; some reporting notes it is based on or leverages the open-source HackBrowserData project for Chrome data theft. Microsoft reporting also states FlexibleFerret establishes persistence through Windows RUN registry modifications, while macOS-focused reporting describes LaunchAgent persistence. In ClickFake Interview reporting, GolangGhost on Windows and macOS communicated with hardcoded C2 endpoints over HTTP POST and used RC4 with a per-request 128-byte key plus MD5 checksum; reported C2s included 38.134.148[.]218:8080, 154.62.226[.]22:8080, and 72.5.42[.]93:8080. Jamf reported a macOS FlexibleFerret/GolangGhost iteration contacting 95.169.180[.]140:8080 after execution from /var/tmp/macpatch.sh and related staging from app.zynoracreative[.]com, with persistence via ~/Library/LaunchAgents/com.driver9990as7tpatch.plist.
The malware has been observed in campaigns using fake recruiters and interview processes, including Contagious Interview and ClickFake Interview, and has been linked in reporting to clusters such as BlockNovas/WaterPlum Cluster B. Victims are commonly developers or job seekers, and several reports emphasize risk to employers when coding challenges are executed on corporate devices. Related malware frequently seen alongside GolangGhost in the same ecosystem includes BeaverTail, InvisibleFerret, OtterCookie, FrostyFerret, and PylangGhost.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UNK_DeadDrop Contagious Interview Targeting Software developers, security researchers, AI engineers in cryptocurrency Developers in cryptocurrency and AI ... Payload Overlord (Go binaries) OtterCookie (JavaScript), Invisible Ferret (Python), FlexibleFerret (Go/Python)
BlockNovas has been observed using video assessments to distribute FROSTYFERRET and GolangGhost using ClickFix-related lures...
ClickFake Interview leverages fake job interview websites to deploy a Go backdoor – GolangGhost – on Windows and macOS environments... This final implant enables remote control and data theft, including browser information exfiltration. | Three variants, FriendlyFerret, FrostyFerret and FlexibleFerret, were deployed during a job interview process on a legitimate website.
Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
"...job-themed social engineering campaigns ... under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment."
“Fake job offers include attachments or links to malicious projects.”
Execution
10 techniques
Execution
Several titles explicitly mention 'VS Code Tasks Abuse,' 'Tracking the VS Code Tasks Infection Vector,' and 'Evolution of VS Code and Cursor Tasks Infection Chains.'
“DeceptiveDevelopment uses VBS, Python, JavaScript, and shell commands for execution.”
“powershell -Command “Expand-Archive -Force -Path ‘%TEMP%\nvidiadrivers.zip’ …””
“Open Command Prompt… use the following curl command… && powershell … && wscript …”
“wscript “%TEMP%\nvidiadrivers\update.vbs”… “the downloader is launched by the update.vbs script”
Invisible Ferret is a Python-based backdoor used in later stages of the attack chain, enabling remote command execution.
“cmd /c node nvidia.js. This downloader is built on the NodeJS Framework and fetches a ZIP archive…”
persuading victims into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of the assessment
Persistence
3 techniques
Persistence
Several titles explicitly mention 'VS Code Tasks Abuse,' 'Tracking the VS Code Tasks Infection Vector,' and 'Evolution of VS Code and Cursor Tasks Infection Chains.'
Privilege Escalation
3 techniques
Privilege Escalation
Several titles explicitly mention 'VS Code Tasks Abuse,' 'Tracking the VS Code Tasks Infection Vector,' and 'Evolution of VS Code and Cursor Tasks Infection Chains.'
Stealth
2 techniques
Stealth
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
Command and Control
3 techniques
Command and Control
FlexibleFerret... leverages encrypted HTTP(S) and TCP command and control channels to dynamically load plugins, execute remote commands, and support file upload and download operations.
Exfiltration
3 techniques
Exfiltration
IOCs tracked for this family
87 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
36 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go/Python malware payload referenced as part of Contagious Interview activity in the comparison table.
A modular backdoor implemented in Go and Python, also known as WeaselStore. Its variants are named GolangGhost and PylangGhost, and newer malicious VS Code projects ultimately deploy it as a next-stage payload.
A Golang-based remote access trojan used in DPRK-linked social engineering and developer-targeting campaigns; PylangGhost is described as its Python version.
Modular backdoor in Go and Python variants using encrypted HTTP(S) and TCP C2, plugin loading, remote command execution, file transfer, persistence via RUN registry changes, reconnaissance, lateral movement, and exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.