PylangGhost
PylangGhost is a Python-based remote access trojan (RAT) associated with North Korean activity, most consistently attributed in the provided reporting to Famous Chollima, also known as Wagemole/PurpleBravo, and used in the broader Contagious Interview/DeceptiveDevelopment campaign. It is described as a Python counterpart to GolangGhost, with very similar structure, naming conventions, function names, and an identical command structure. Reporting characterizes PylangGhost as primarily Windows-focused, while related GolangGhost activity continued to target macOS; some later reporting also describes PylangGhost/GolangGhost as related multi-platform RATs.
Observed delivery vectors in the provided content include fake job interview and skill-testing websites impersonating companies such as Coinbase, Robinhood, Uniswap, Archblock, and Parallel Studios; ClickFix-style social engineering that instructs victims to copy and execute malicious PowerShell, Command Shell, or Bash commands; malicious npm packages; and JavaScript loaders embedded in trojanized packages. The campaign primarily targeted software developers, job seekers, and cryptocurrency/blockchain professionals, with reporting specifically noting victims predominantly in India and broader targeting of finance, technology, AI, cryptocurrency, and Web3 sectors.
In the Talos-described Windows infection chain, a command downloads a ZIP archive containing six Python modules, a Visual Basic Script, and a renamed Python interpreter used to launch nvidia.py. The VBS launcher unzips lib.zip and starts the RAT. The main module creates persistence via a Windows registry Run value at user logon, generates a GUID for the infected host, connects to command-and-control infrastructure, and enters a command loop. Capabilities directly described in the content include system reconnaissance, file upload and download, remote OS shell access, sleep/tasking, and theft of browser credentials, cookies, and extension data. The malware is reported to steal stored browser credentials, session cookies, and data from more than 80 browser extensions, including cryptocurrency wallets and password managers such as MetaMask, Phantom, TronLink, 1Password, NordPass, Bitski, Initia, and MultiverseX. Multiple reports also state that PylangGhost can target Chrome data and was engineered to defeat or address Google Chrome app-bound credential protection.
C2 communications are described as HTTP with RC4-encrypted packets. Reported packet structure includes a 16-byte MD5 checksum, a 128-byte RC4 key, and an encrypted data blob. Additional reporting notes a line-based protocol with Base64-encoded tokens and obfuscated command identifiers. Persistence and runtime artifacts mentioned in the content include registry Run-key execution via wscript.exe and temporary-directory state files such as .store and .host.
The content includes several infrastructure and IOC references tied to PylangGhost campaigns. Talos-associated reporting lists C2 servers 31.57.243.29:8080, 154.58.204.15:8080, 212.81.47.217:8080, and 31.57.243.190:8080; download domains api.quickcamfix.online and api.nvidia-release.us; and fake interview domains including krakenhire.com, robinhood.ecareerscan.com, coinbase.talentmonitoringtool.com, and uniswap.prehireiq.com. Another npm-delivery report identifies malicanbur[.]pro and 173.211.46[.]22:8080, with campaign identifier ML2J and Windows payload SHA-256 0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e. A Cloudflare Pages/Workers abuse cluster is reported to have delivered a Windows PylangGhost bundle with SHA-256 9ec622624f5f07c5d86e6048f2710de1e9c5ac7c6a6fad4fcb31121bb67c0239, deoft.org infrastructure resolving to 187.77.111.137, and a plaintext PylangGhost C2 address of 187.127.248.20 in config.py. Talos also published ClamAV detections including Win.Backdoor.PyChollima-10045389-0 through Win.Backdoor.PyChollima-10045384-0.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor.
In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor.
"North Korea's abuse of Cloudflare Workers and Pages" published by Kmsec. #FamousChollima, #NPM, #PylangGhost, #DPRK, #CTI
First instance of PylangGhost RAT observed on npm ... PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
A cluster of 5 npm packages abuse Cloudflare infrastructure (Pages/Workers) to deliver PylangGhost RAT... The intended workflow is for ether-bn.js to be installed as a dependency to a coding project, which then adds the malicious sub-dependencies.
"distribute malware to unsuspecting job seekers in the software development industry"; "pretext of a recruitment process or technical assignment"
These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages... real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application.
Execution
8 techniques
Execution
Several titles explicitly mention 'VS Code Tasks Abuse,' 'Tracking the VS Code Tasks Infection Vector,' and 'Evolution of VS Code and Cursor Tasks Infection Chains.'
Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows... The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file.
execSync("chmod +x /var/tmp/camDriver.sh && nohup bash /var/tmp/camDriver.sh >/dev/null 2>&1 &"
The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan...
This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run.
The decrypted payload in full... This is what’s invoked by globalThis.eval... evaluates remote content held at keo[.]pages[.]dev/output-2.
The intended workflow is for ether-bn.js to be installed as a dependency to a coding project... infection happens at runtime as opposed to installation.
Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers... The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
Novel obfuscation techniques, encryption, runtime logic gates, and device fingerprinting are used to hinder detection... return globalThis.eval(payload).
The intended workflow is for ether-bn.js to be installed as a dependency to a coding project... infection happens at runtime as opposed to installation.
Credential Access
2 techniques
Credential Access
These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions... The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies...
These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.
Discovery
4 techniques
Discovery
COMMAND_INFORMATION - collect information about the infected system, username, OS version etc
COMMAND_INFORMATION - collect information about the infected system, username, OS version etc ... COMMAND_FILE_UPLOAD - file upload COMMAND_FILE_DOWNLOAD - file download
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
The attacker’s command-and-control (C2) infrastructure relies on the domain malicanbur[.]pro, with a C2 IP address of 173.211.46[.]22:8080.
“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server.
IOCs tracked for this family
95 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
"North Korea's abuse of Cloudflare Workers and Pages" published by Kmsec. #FamousChollima, #NPM, #PylangGhost, #DPRK, #CTI
Remote access trojan delivered through malicious npm packages and Cloudflare Pages/Workers infrastructure. The chain fingerprints the host, fetches staged JavaScript, contacts attacker-controlled infrastructure to obtain a victim-specific path, then downloads platform-specific payloads. The final bundle includes Windows, Linux, and macOS infection paths and uses C2 at 187.127.248.20.
Post lazarusholic lazarusholic.bsky.social did:plc:iqisolaecmif2zmpfbmsq2te "NICKEL ALLEY strategy: Fake it ‘til you make it" published by Sophos. #NickelAlley, #ClickFix, #ContagiousInterview, #PylangGhost, #DPRK, #CTI
A Python variant of FlexibleFerret/WeaselStore propagated via malicious npm packages and also deployed through newer VS Code project chains.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.