In May 2025, Cisco Talos identified a new Python-based remote access trojan (RAT) named 'PylangGhost,' deployed by the North Korean-aligned threat actor group Famous Chollima. This malware is a variant of the previously known GolangGhost RAT, re-implemented in Python to potentially increase flexibility and evade detection. PylangGhost targets individuals with expertise in cryptocurrency and blockchain technologies, primarily through social engineering tactics involving fake job interview websites. The infection chain is a two-stage process: initially, victims are lured to skill-testing pages designed to appear legitimate, which then trigger malicious command execution to deploy the RAT. Technically, PylangGhost is modular, comprising six Python modules that collectively provide capabilities such as system information gathering, file manipulation, and extensive browser data theft. Notably, it can extract data from over 80 browser extensions, which is significant given the sensitive information often stored or accessible via these extensions, including cryptocurrency wallets and authentication tokens. The malware leverages multiple MITRE ATT&CK techniques, including scheduled task execution (T1053.005), system information discovery (T1082), credential access (T1555), and command and scripting interpreter usage (T1059.001 and T1059.006), among others. This indicates a sophisticated approach to persistence, reconnaissance, and data exfiltration. The campaign currently primarily affects users in India, focusing on blockchain and cryptocurrency professionals, but the modular and Python-based nature of the RAT suggests potential adaptability to other environments and targets. There are no known exploits in the wild associated with this malware, and no specific affected software versions have been identified. The threat actor's use of fake job portals as a vector highlights a targeted social engineering approach rather than broad exploitation of software vulnerabilities.

For European organizations, the impact of PylangGhost could be significant, especially for entities involved in blockchain, cryptocurrency, fintech, and related sectors. The malware's capability to steal browser data from numerous extensions poses a direct threat to the confidentiality of sensitive credentials, private keys, and session tokens, potentially leading to financial theft, unauthorized access, and further lateral movement within networks. The system information gathering and file manipulation functionalities could facilitate espionage, data exfiltration, and disruption of operations. Although the current campaign targets individuals in India, European professionals with similar profiles or working in multinational companies with blockchain interests could be targeted in future campaigns. Additionally, the use of Python modules makes detection more challenging in environments relying heavily on signature-based detection, increasing the risk of prolonged undetected presence. The social engineering vector also underscores the risk of insider compromise or credential theft, which could cascade into broader organizational impacts.

To mitigate the risk posed by PylangGhost, European organizations should implement targeted measures beyond generic advice: 1. Enhance Email and Web Filtering: Deploy advanced filtering solutions capable of detecting and blocking phishing sites, especially those masquerading as job portals or skill-testing platforms related to blockchain and cryptocurrency. 2. User Awareness Training: Conduct specialized training for employees in blockchain and cryptocurrency roles to recognize social engineering tactics, particularly fake job offers and interview processes. 3. Application Whitelisting and Execution Control: Restrict execution of unauthorized Python scripts and modules, especially from user directories or temporary locations, using application control policies. 4. Monitor for MITRE ATT&CK Techniques: Implement detection rules for behaviors such as scheduled task creation (T1053.005), credential dumping (T1555), and suspicious command interpreter usage (T1059.001/006). 5. Browser Extension Management: Audit and limit browser extensions to only those necessary, and monitor for unusual access patterns or data exfiltration attempts related to extensions. 6. Network Segmentation and Egress Monitoring: Segment networks to limit lateral movement and monitor outbound traffic for anomalous connections indicative of data exfiltration. 7. Incident Response Preparedness: Develop playbooks specific to RAT infections, including forensic analysis of Python modules and containment strategies. 8. Threat Intelligence Sharing: Engage with European cybersecurity communities to share indicators and tactics related to Famous Chollima and PylangGhost to enhance collective defense.