Cisco Talos reported that a North Korean hacker group called "Famous Chollima" is targeting cryptocurrency job seekers in India. This group appears to have no direct connection to Lazarus.
Currently, it is difficult to determine whether these efforts are simply theft or preliminary work for a larger attack. Cryptocurrency industry job seekers should be cautious.
North Korea Continues Cryptocurrency Hacking
The Lazarus group from North Korea is notorious for cryptocurrency crimes and has committed the largest hack in industry history. However, this is not North Korea's only Web3 criminal activity. North Korea has a significant presence in DeFi.
Cisco Talos has identified a different approach related to cryptocurrency theft in India:
Famous Chollima, a North Korean-aligned threat actor, is targeting cryptocurrency/blockchain professionals (primarily in India) with the new PylangGhost RAT, a Python-based equivalent to their GolangGhost RAT: https://t.co/fYKvY1tXdB pic.twitter.com/ojDl6Oz7Zv
— Cisco Talos Intelligence Group (@TalosSecurity) June 18, 2025
According to the report, Famous Chollima is not a new group and has been active since mid-2024 or earlier. In recent incidents, North Korean hackers attempted to infiltrate US-based cryptocurrency company Kraken.
Famous Chollima, conversely, lured potential workers through fake job applications.
"This campaign includes... creating fake job advertisements and technical test pages. In the latter case, users are instructed to copy and paste malicious commands, being told they must install a driver to perform the final technical test stage. [Affected users] are primarily located in India," the company claimed.
Compared to Lazarus's notorious reputation, Famous Chollima's phishing efforts appear much more clumsy. Cisco claimed that the group's fake applications always imitate famous cryptocurrency companies.
These lures did not use the actual brand of real companies and asked questions barely related to the job.
Taking the Bait
Victims are lured through fake recruitment sites impersonating well-known tech or cryptocurrency companies. After submitting an application, they are invited to a video interview.
During this process, the site requests command execution for video driver installation. However, it actually downloads and installs malicious software.
Once installed, PylangGhost provides the attacker with complete control of the victim's system. It steals login credentials, browser data, and cryptocurrency wallet information, targeting over 80 popular extensions like MetaMask, Phantom, and 1Password.
Recently, BitMEX claimed that after stopping a malicious software attack, Lazarus uses at least two teams: a low-skilled team that initially penetrates security protocols and a high-skilled team that performs subsequent theft. This is likely a common practice in the North Korean hacking community.
Unfortunately, it is difficult to draw a definitive conclusion without speculation. Are they hacking these applicants to impersonate cryptocurrency industry job seekers?
Users should be cautious of unsolicited job offers, avoid executing unknown commands, and protect their systems with endpoint protection, MFA, and browser extension monitoring.
Always verify the legitimacy of recruitment portals before sharing sensitive information.
