Famous Chollima, described as a North Korean-aligned actor, deployed the Python-based PylangGhost RAT against cryptocurrency and blockchain professionals, primarily in India. The campaign used fake recruiter personas and counterfeit job-application sites impersonating companies such as Coinbase and Robinhood to convince victims to run PowerShell Invoke-WebRequest or curl commands. The downloaded ZIP contained Python modules, a VBS script, and a renamed Python interpreter disguised as nvidia.py, which established registry persistence, generated a system GUID, and communicated with C2 over RC4-encrypted HTTP. PylangGhost mirrors GolangGhost functionality, enabling remote control, file operations, and credential theft from more than 80 browser extensions, including cryptocurrency wallets and password managers. The targeting and tooling point to financially motivated operations against crypto-sector users where stolen credentials and wallet access can directly support DPRK revenue generation.