GolangGhost
GolangGhost, also referred to as FlexibleFerret and WeaselStore, is a Go-based remote access trojan/backdoor and infostealer associated with the DPRK-linked Contagious Interview / DeceptiveDevelopment activity and with threat actors or clusters including Famous Chollima, WaterPlum, PurpleBravo, and Lazarus-linked reporting. It has been used in fake job interview and coding-assessment campaigns, including ClickFix-style lures, where victims are tricked into copying and executing malicious commands or opening trojanized developer projects and repositories. Reporting describes it as a frequent final payload in Famous Chollima ClickFix campaigns and as malware historically used by WaterPlum Cluster B/BlockNovas.
The malware targets multiple platforms, with reporting explicitly describing Windows and macOS use, and broader multiplatform coverage under the FlexibleFerret/WeaselStore naming. It communicates with command-and-control infrastructure over encrypted HTTP(S) and TCP channels; multiple reports also describe HTTP POST communications using RC4-encrypted packets with a per-request 128-byte key and MD5 checksum. Documented capabilities include remote command execution, system reconnaissance, persistence, plugin loading, file upload and download, and full data exfiltration. It is also described as stealing browser data and cryptocurrency-wallet-related information, including Chrome data theft based on the HackBrowserData project. Related reporting on the FlexibleFerret/WeaselStore family states it can steal browser credentials, cookies, and wallet or extension data and continue operating as a RAT.
Observed infection chains include Windows and macOS fake interview workflows. In the March 2025 ClickFake Interview reporting, Windows victims used a curl -> PowerShell Expand-Archive -> wscript.exe chain that launched update.vbs, established Run-key persistence under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaDriverUpdate, and ultimately launched the GolangGhost backdoor. On macOS, a bash installer downloaded and unpacked payloads, created LaunchAgent persistence, used FrostyFerret to phish for the user’s system password, and then launched GolangGhost. Jamf also described a macOS FlexibleFerret chain beginning with /var/tmp/macpatch.sh, downloading architecture-specific archives, writing ~/Library/LaunchAgents/com.driver9990as7tpatch.plist, launching a decoy MediaPatcher.app to capture credentials, and then running a Go backdoor that contacted a hard-coded C2.
Victimology across the reporting centers on software developers, job seekers, and personnel in cryptocurrency, blockchain, Web3, AI, finance, and technology sectors. Fake companies and interview portals impersonating brands such as Coinbase, Robinhood, Uniswap, Archblock, Kraken, and others were used as lures. High-confidence indicators mentioned in the content include C2 endpoints such as 38.134.148.218:8080, 154.62.226.22:8080, 72.5.42.93:8080, and 95.169.180.140:8080, as well as Talos-listed infrastructure for the related Python variant including 31.57.243.29:8080, 154.58.204.15:8080, 212.81.47.217:8080, and 31.57.243.190:8080; download domains such as api.smartdriverfix.cloud, api.quickcamfix.online, api.nvidia-release.us, and app.zynoracreative.com; and fake interview domains including krakenhire.com, robinhood.ecareerscan.com, coinbase.talentmonitoringtool.com, uniswap.prehireiq.com, evaluza.com, and proficiencycert.com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns.
Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns.
BlockNovas has been observed using video assessments to distribute FROSTYFERRET and GolangGhost using ClickFix-related lures...
ClickFake Interview leverages fake job interview websites to deploy a Go backdoor – GolangGhost – on Windows and macOS environments... This final implant enables remote control and data theft, including browser information exfiltration. | Three variants, FriendlyFerret, FrostyFerret and FlexibleFerret, were deployed during a job interview process on a legitimate website.
Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
"...job-themed social engineering campaigns ... under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment."
“Fake job offers include attachments or links to malicious projects.”
“ClickFix technique uses deceptive links to fake troubleshooting guides.”
These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages... real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application.
Execution
9 techniques
Execution
Several titles explicitly mention 'VS Code Tasks Abuse,' 'Tracking the VS Code Tasks Infection Vector,' and 'Evolution of VS Code and Cursor Tasks Infection Chains.'
“DeceptiveDevelopment uses VBS, Python, JavaScript, and shell commands for execution.”
“powershell -Command “Expand-Archive -Force -Path ‘%TEMP%\nvidiadrivers.zip’ …””
“wscript “%TEMP%\nvidiadrivers\update.vbs”… “the downloader is launched by the update.vbs script”
Invisible Ferret is a Python-based backdoor used in later stages of the attack chain, enabling remote command execution.
“cmd /c node nvidia.js. This downloader is built on the NodeJS Framework and fetches a ZIP archive…”
Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers... The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
3 techniques
Credential Access
These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions... The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies...
These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.
Discovery
3 techniques
Discovery
Command and Control
3 techniques
Command and Control
FlexibleFerret... leverages encrypted HTTP(S) and TCP command and control channels to dynamically load plugins, execute remote commands, and support file upload and download operations.
Exfiltration
3 techniques
Exfiltration
IOCs tracked for this family
107 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as malware previously used by the Contagious Interview campaign; no further technical details are provided in the content.
A Go/Python malware payload referenced as part of Contagious Interview activity in the comparison table.
A modular backdoor implemented in Go and Python, also known as WeaselStore. Its variants are named GolangGhost and PylangGhost, and newer malicious VS Code projects ultimately deploy it as a next-stage payload.
A Golang-based remote access trojan used in DPRK-linked social engineering and developer-targeting campaigns; PylangGhost is described as its Python version.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.