PyLangGhost RAT
PyLangGhost RAT is a Python-based remote access trojan used by North Korean threat activity, including NICKEL ALLEY and reporting that links it to Famous Chollima. It is described as the Python successor to the earlier GoLangGhost RAT, with PyLangGhost samples identified by May 2025 after the Go-based version was first observed around February 2025. Reported capabilities include arbitrary command execution, file exfiltration, system profiling, browser credential theft, cookie theft, and theft of Chrome cryptocurrency wallet extension data.
The malware has been delivered through highly targeted social engineering campaigns centered on fake job opportunities and interview workflows aimed at software developers and other technology/Web3 professionals, particularly in finance and technology. A prominent delivery method is the ClickFix tactic: victims are shown an error on an attacker-controlled assessment site and instructed to run a local command to "fix" the issue. In observed late-2025 chains, that command downloaded an archive such as fixed.zip or patchesWin.zip into %TEMP%, expanded it with PowerShell, and launched a VBScript such as update.vbs or start.vbs via wscript. The VBScript then unpacked Lib.zip, executed cmd /c csshost.exe nvidia.py, and used csshost.exe as a renamed legitimate python.exe binary to run the Python payload.
Associated lures and infrastructure included fake LinkedIn company pages, fraudulent company websites, coordinating GitHub accounts, fake recruiter outreach, and malicious or typosquatted npm packages. In other observed attacks, victims were persuaded to clone GitHub repositories and run npm install and npm start, or were exposed to malicious Visual Studio Code tasks that fetched payloads. Sophos assessed the primary objective as cryptocurrency theft, while warning that the access obtained could also support supply chain compromise or corporate espionage. Reported infrastructure and indicators tied to campaigns delivering PyLangGhost RAT include talentacq[.]pro and publicshare[.]org, with talentacq[.]pro noted for a custom 404 page containing the misspelling "opps."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Over the last year, the group has used the popular ClickFix tactic to deliver PyLangGhost RAT malware via fake job skills assessment tasks. This involved the attacker-controlled web interface presenting an error informing the victim that they must run a command locally to fix the issue – a command that instead initiated a series of actions leading to PyLangGhost RAT. It previously used a GoLang-based version known as GoLangGhost RAT.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesIn some instances, the threat actors have used the popular ‘ClickFix’ tactic to deliver malware via fake job skills assessment tasks.
The group notoriously targets professionals in the technology sector by advertising fake job opportunities, deceiving prospective candidates through a fake job interview process, and ultimately delivering malware. In targeted attacks, NICKEL ALLEY often creates a fake LinkedIn company page to build credibility and maintains a coordinating GitHub account for malware delivery.
Execution
6 techniquesThis involved the attacker-controlled web interface presenting an error informing the victim that they must run a command locally to fix the issue – a command that instead initiated a series of actions leading to PyLangGhost RAT.
When executed, the command retrieves an archive file from an attacker-controlled domain and writes it to the %TEMP% directory. It then decompresses the archive via the PowerShell Expand-Archive cmdlet.
It then uses the Run method of WScript.Shell to execute a command via cmd.exe: cmd /c csshost.exe nvidia.py.
Finally, it uses the wscript command to execute a VBScript file that initiates the infection chain.
The csshost.exe file is a renamed copy of the legitimate python.exe binary. The executable runs a Python file (nvidia.py) that initiates the PyLangGhost RAT infection chain.
This involved the attacker-controlled web interface presenting an error informing the victim that they must run a command locally to fix the issue – a command that instead initiated a series of actions leading to PyLangGhost RAT.
Stealth
1 techniqueThe csshost.exe file is a renamed copy of the legitimate python.exe binary... The binary is renamed to a Windows system filename, and the Python filename often imitates an associated driver file.
Credential Access
1 techniqueIt also gathers browser credentials and cookies. The malware specifically targets Chrome cryptocurrency wallet browser extension data.
Discovery
1 techniqueThe malware supports file exfiltration, arbitrary command execution, and system profiling.
Collection
1 techniqueThe VBScript file uses the tar command to decompress an archive (Lib.zip) that contains benign library and support files.
Command and Control
1 techniqueOrganizations should monitor command execution and network traffic that spawns from Node.js processes, as it may indicate malware retrieval.
Exfiltration
1 techniqueThe malware supports file exfiltration, arbitrary command execution, and system profiling. It also gathers browser credentials and cookies.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan delivered through fake job assessment lures and ClickFix-style social engineering, used to gain access to targeted developer systems in campaigns aimed at cryptocurrency theft, with potential follow-on supply chain compromise or corporate espionage.
A Python-based remote access trojan used in fake job interview campaigns. It supports file exfiltration, arbitrary command execution, system profiling, browser credential and cookie theft, and specifically targets Chrome cryptocurrency wallet browser extension data.
Remote access trojan used by North Korean APT Famous Chollima, delivered via targeted social engineering attacks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.