Famous Chollima deploying Python version of GolangGhost RAT

2025-06-18 Cisco Talos

https://blog.talosintelligence.com/python-version-of-golangghost-rat/

Thumbnail for Famous Chollima deploying Python version of GolangGhost RAT

Cisco Talos identified PylangGhost, a Python-based Windows RAT used exclusively by the North Korean-aligned Famous Chollima actor, also known as Wagemole. The campaign targets workers with cryptocurrency and blockchain experience through fake recruiter workflows and skill-testing sites impersonating companies such as Coinbase, Robinhood, Uniswap, Archblock, and Parallel Studios. Victims are instructed to copy and run ClickFix-style commands that download a ZIP archive, unpack a Python library, and launch the RAT through a renamed Python interpreter. PylangGhost creates logon persistence through the Windows registry, fingerprints the host, communicates with C2 over RC4-encrypted HTTP, and supports file transfer, OS shell access, sleep/exit commands, and theft of browser cookies and credentials from password-manager and cryptocurrency-wallet extensions.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 212.81.47.217 2025-06-18 2026-01-21
IPv4 31.57.243.29 2025-06-18 2026-01-21
IPv4 154.58.204.15 2025-06-18 2026-01-21
IPv4 31.57.243.190 2025-06-18 2026-01-21
DOMAIN quiz-nest.com 2025-06-18 2025-09-04
DOMAIN evalassesso.com 2025-03-31 2025-09-04
DOMAIN provevidskillcheck.com 2025-06-18 2025-08-28
DOMAIN doodles.skillquestions.com 2025-06-18 2025-08-28
DOMAIN evalswift.com 2025-03-31 2025-08-28
DOMAIN api.camdriversupport.com 2025-03-31 2025-08-25
DOMAIN api.camtechdrivers.com 2025-03-31 2025-08-25
DOMAIN api.camera-drive.org 2025-01-20 2025-08-25
DOMAIN api.nvidia-release.org 2025-01-16 2025-08-25
HASH c2137cd870de0af6662f56c97d27b86… 2025-06-18 2025-06-23
HASH fc71a1df2bb4ac2a1cc3f306c3bdf0d… 2025-06-18 2025-06-18
HASH 1f482ce7e736a8541cc16e3e80c7890… 2025-06-18 2025-06-18
HASH fb5362c4540a3cbff8cb1c678c00cc3… 2025-06-18 2025-06-18
HASH 267009d555f59e9bf5d82be8a046427… 2025-06-18 2025-06-18
HASH d029be4142fca334af8fe0f5f467a0e… 2025-06-18 2025-06-18
HASH 929c69827cd2b03e7b03f9a53c08268… 2025-06-18 2025-06-18
HASH e7c2b524f5cb0761a973accc9a41632… 2025-06-18 2025-06-18
HASH d3500266325555c9e777a4c585afc05… 2025-06-18 2025-06-18
HASH a206ea9b415a0eafd731b4eec762a5b… 2025-06-18 2025-06-18
HASH ed170975e3fd03440360628f447110e… 2025-06-18 2025-06-18
HASH b8402db19371db55eebea08cf1c1af9… 2025-06-18 2025-06-18
HASH 7ac3ffb78ae1d2d9b5d3d336d2a2409… 2025-06-18 2025-06-18
HASH 0d14960395a9d396d413c2160570116… 2025-06-18 2025-06-18
HASH 5273d68b3aef1f5ebf420b91d66a064… 2025-06-18 2025-06-18
HASH c2d2320ae43aaa0798cbcec163a0265… 2025-06-18 2025-06-18
HASH 127406b838228c39b368faa9d6903e7… 2025-06-18 2025-06-18
HASH 0ec9d355f482a292990055a9074fdab… 2025-06-18 2025-06-18
HASH b7ab674c5ce421d9233577806343fc9… 2025-06-18 2025-06-18
HASH 8ead05bb10e6ab0627fcb3dd5baa59c… 2025-06-18 2025-06-18
HASH 28198494f0ed5033085615a57573e3d… 2025-06-18 2025-06-18
DOMAIN talent-hiringtalk.com 2025-06-18 2025-06-18
DOMAIN parallel.eskillora.com 2025-06-18 2025-06-18
DOMAIN quantumnodespro.com 2025-06-18 2025-06-18
DOMAIN coinbase.talenthiringtool.com 2025-06-18 2025-06-18
DOMAIN uniswap.prehireiq.com 2025-06-18 2025-06-18
DOMAIN kraken.livehiringpro.com 2025-06-18 2025-06-18
DOMAIN krakenhire.com 2025-06-18 2025-06-18
DOMAIN coinbase.talentmonitoringtool.c… 2025-06-18 2025-06-18
DOMAIN robinhood.ecareerscan.com 2025-06-18 2025-06-18
DOMAIN crosstheages.skillence360.com 2025-06-18 2025-06-18
DOMAIN uniswap.testforhire.com 2025-06-18 2025-06-18
DOMAIN fast-video-recording.com 2025-06-18 2025-06-18
DOMAIN livetalentpro.com 2025-06-18 2025-06-18
DOMAIN skill.vidintermaster.com 2025-06-18 2025-06-18
DOMAIN yuga.skillquestions.com 2025-06-18 2025-06-18
DOMAIN uniswap.speakure.com 2025-06-18 2025-06-18

Related Actors

Related Reports

« Back