North Korean Hackers Target Crypto Job Recruiters with New Malware, Able to Steal Credentials from Browser Extensions

Blockbeats

6 hours ago

BlockBeats News, June 20th, According to Decrypt's report, threat intelligence research firm Cisco Talos reported on Wednesday that North Korean hackers deployed a new Python Remote Access Trojan called "PylangGhost" targeting cryptocurrency professionals through a fake job interview posing as companies like Coinbase and Uniswap. The malware is associated with the North Korean-affiliated notorious hacking group "Famous Chollima" (also known as "Wagemole").

The malware is capable of stealing credentials from over 80 browser extensions, including Metamask and 1Password, and achieves persistent remote access. The attack mainly targets Windows systems and macOS users, with Linux systems not currently affected by this wave of attacks.

Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.

Most Discussed

1
2
3
4
5
6
7
8
9
10

{"basename":"","ssrTDKData":{"titleTemplate":"%s - Tiger Brokers","title":"Tiger Brokers | Global Stocks, Options & Futures Trading App","description":"Tiger Brokers, one-stop investment in US stocks, SGX stocks, HK stocks, A-shares & other global assets. One of the best stock trading platforms in Singapore.","keywords":"tiger brokers,tiger trade,tiger brokers singapore,broker online,stock trading in singapore,share trading singapore,brokerage firm singapore,trading app,stock broker singapore,stock trading platforms,trading account","social":{"ogDescription":"Tiger Brokers, one-stop investment in US stocks, SGX stocks, HK stocks, A-shares & other global assets. One of the best stock trading platforms in Singapore.","ogImage":"https://c1.itigergrowtha.com/portal5/static/media/og-logo.be62fbe1.png","ogUrl":"https://www.itiger.com/news/2544481341"},"companyName":"Tiger Brokers"},"pageData":{"isMobile":false,"isTiger":false,"isTTM":true,"region":"SGP","license":"TBSG","edition":"fundamental"},"__swrFallback__":{"@#url:\"https://stock-news.skytigris.cn/v3/news\",params:#id:\"2544481341\",edition:\"fundamental\",,,undefined,":{"share":"https://ttm.financial/m/news/2544481341?lang=en_US&edition=fundamental","thumbnail":"","is_english":true,"pubTime":"2025-06-20 14:30","share_image_url":"https://static.laohu8.com/e9f99090a1c2ed51c021029395664489","id":"2544481341","market":"us","top_or_hot":-1,"title":"North Korean Hackers Target Crypto Job Recruiters with New Malware, Able to Steal Credentials from Browser Extensions","media":"Blockbeats","content":"<html><body><div><p>BlockBeats News, June 20th, According to Decrypt's report, threat intelligence research firm Cisco Talos reported on Wednesday that North Korean hackers deployed a new Python Remote Access Trojan called \"PylangGhost\" targeting cryptocurrency professionals through a fake job interview posing as companies like <a href=\"https://laohu8.com/S/COIN\">Coinbase</a> and Uniswap. The malware is associated with the North Korean-affiliated notorious hacking group \"Famous Chollima\" (also known as \"Wagemole\").</p><p>The malware is capable of stealing credentials from over 80 browser extensions, including Metamask and 1Password, and achieves persistent remote access. The attack mainly targets Windows systems and macOS users, with Linux systems not currently affected by this wave of attacks.</p></div></body></html>","source":"theblockbeats_live","html":"<!DOCTYPE html>\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no\"/>\n<meta name=\"format-detection\" content=\"telephone=no,email=no,address=no\" />\n<title>North Korean Hackers Target Crypto Job Recruiters with New Malware, Able to Steal Credentials from Browser Extensions</title>\n<style type=\"text/css\">\na,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,\nem,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,\nobject,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{ font:inherit;margin:0;padding:0;vertical-align:baseline;border:0 }\nbody{ font-size:16px; line-height:1.5; color:#999; background:transparent; }\n.wrapper{ overflow:hidden;word-break:break-all;padding:10px; }\nh1,h2{ font-weight:normal; line-height:1.35; margin-bottom:.6em; }\nh3,h4,h5,h6{ line-height:1.35; margin-bottom:1em; }\nh1{ font-size:24px; }\nh2{ font-size:20px; }\nh3{ font-size:18px; }\nh4{ font-size:16px; }\nh5{ font-size:14px; }\nh6{ font-size:12px; }\np,ul,ol,blockquote,dl,table{ margin:1.2em 0; }\nul,ol{ margin-left:2em; }\nul{ list-style:disc; }\nol{ list-style:decimal; }\nli,li p{ margin:10px 0;}\nimg{ max-width:100%;display:block;margin:0 auto 1em; }\nblockquote{ color:#B5B2B1; border-left:3px solid #aaa; padding:1em; }\nstrong,b{font-weight:bold;}\nem,i{font-style:italic;}\ntable{ width:100%;border-collapse:collapse;border-spacing:1px;margin:1em 0;font-size:.9em; }\nth,td{ padding:5px;text-align:left;border:1px solid #aaa; }\nth{ font-weight:bold;background:#5d5d5d; }\n.symbol-link{font-weight:bold;}\n/* header{ border-bottom:1px solid #494756; } */\n.title{ margin:0 0 8px;line-height:1.3;color:#ddd; }\n.meta {color:#5e5c6d;font-size:13px;margin:0 0 .5em; }\na{text-decoration:none; color:#2a4b87;}\n.meta .head { display: inline-block; overflow: hidden}\n.head .h-thumb { width: 30px; height: 30px; margin: 0; padding: 0; border-radius: 50%; float: left;}\n.head .h-content { margin: 0; padding: 0 0 0 9px; float: left;}\n.head .h-name {font-size: 13px; color: #eee; margin: 0;}\n.head .h-time {font-size: 11px; color: #7E829C; margin: 0;line-height: 11px;}\n.small {font-size: 12.5px; display: inline-block; transform: scale(0.9); -webkit-transform: scale(0.9); transform-origin: left; -webkit-transform-origin: left;}\n.smaller {font-size: 12.5px; display: inline-block; transform: scale(0.8); -webkit-transform: scale(0.8); transform-origin: left; -webkit-transform-origin: left;}\n.bt-text {font-size: 12px;margin: 1.5em 0 0 0}\n.bt-text p {margin: 0}\n</style>\n</head>\n<body>\n<div class=\"wrapper\">\n<header>\n<h2 class=\"title\">\nNorth Korean Hackers Target Crypto Job Recruiters with New Malware, Able to Steal Credentials from Browser Extensions\n</h2>\n\n<h4 class=\"meta\">\n\n\n2025-06-20 14:30 GMT+8&nbsp;&nbsp;&nbsp;<a href=https://www.theblockbeats.info//en/flash/299241><strong>Blockbeats</strong></a>\n\n\n</h4>\n\n</header>\n<article>\n<div>\n<p>BlockBeats News, June 20th, According to Decrypt's report, threat intelligence research firm Cisco Talos reported on Wednesday that North Korean hackers deployed a new Python Remote Access Trojan ...</p>\n\n<a href=\"https://www.theblockbeats.info//en/flash/299241\">Source Link</a>\n\n</div>\n\n\n</article>\n</div>\n</body>\n</html>\n","isBrief":false,"type":0,"news_type":1,"symbol":"LU1066051498.USD","symbol_name":"HSBC GIF GLOBAL EQUITY VOLATILITY FOCUSED \"AM2\" (USD) INC","start_time":0,"source_url":"https://www.theblockbeats.info//en/flash/299241","article_id":"2544481341","we_media_id":null,"thumbnails":[],"rights":null,"url":"https://stock-news.laohu8.com/highlight/detail?id=2544481341","pubTimestamp":1750401000,"columns":[],"sourceInfo":{"source_id":"theblockbeats_live","name":"Blockbeats快讯"},"weMediaInfo":null,"summary":"BlockBeats News, June 20th, According to Decrypt's report, threat intelligence research firm Cisco Talos reported on Wednesday that North Korean hackers deployed a new Python Remote Access Trojan called \"PylangGhost\" targeting cryptocurrency professionals through a fake job interview posing as companies like Coinbase and Uniswap. The malware is associated with the North Korean-affiliated notorious hacking group \"Famous Chollima\" .The malware is capable of stealing credentials from over 80 browser extensions, including Metamask and 1Password, and achieves persistent remote access. The attack mainly targets Windows systems and macOS users, with Linux systems not currently affected by this wave of attacks.","collect":0,"end_time":0,"defaultTopTitle":"theblockbeats.info","property":[],"viewcount":null,"language":"en","relate_stocks":{"LU1066051498.USD":"HSBC GIF GLOBAL EQUITY VOLATILITY FOCUSED \"AM2\" (USD) INC","SG9999015986.USD":"LIONGLOBAL DISRUPTIVE INNOVATION \"I\" (USD) ACC","SG9999001424.SGD":"United E-Commerce Fund SGD","BK4581":"高盛持仓","LU1046421795.USD":"富达环球科技A-ACC","LU0203347892.USD":"SCHRODER ISF QEP GLOBAL ACTIVE VALLUE \"A\" (USD)  INC AV","IE00BVYPNV92.GBP":"GUINNESS GLOBAL EQUITY INCOME \"C\" (GBP) ACC","IE00BGHQF631.EUR":"GUINNESS GLOBAL EQUITY INCOME \"C\" (EUR) ACC","LU1244550577.SGD":"FTIF - Franklin Global Multi-Asset Income A (Mdis) SGD-H1","LU2506952097.USD":"BNP PARIBAS SUSTAINABLE GLOBAL LOW VOL EQUITY \"CRH\" (USDHDG) ACC","SG9999001440.SGD":"United Global Dividend Equity Fund A SGD Dist","IE00BKVL7J92.USD":"Legg Mason ClearBridge - US Equity Sustainability Leaders A Acc USD","BK4539":"次新股","LU2286300806.USD":"Allianz Cyber Security AT Acc USD","COIN":"Coinbase Global, Inc.","LU0203345920.USD":"SCHRODER ISF QEP GLB ACT. VL \"A\" (USD) ACC","BK4516":"特朗普概念","LU2237443895.HKD":"abrdn SICAV I -  GLOBAL DYNAMIC DIVIDEND \"A\" (HKD) ACC","LU1244550494.USD":"FRANKLIN GLOBAL MULTI-ASSET INCOME \"A\" (USDHEDGED) ACC","BK4554":"元宇宙及AR概念","CSCO":"思科","LU1599440770.SGD":"FIDELITY GLOBAL DIVIDEND \"A\" (SGDHDG) INC","BK4515":"5G概念","LU0889566641.SGD":"FTSF - Templeton Shariah Global Equity A Acc SGD","LU2247934214.USD":"FIDELITY FUNDS SUSTAINABLE FUTURE CONNECTIVITY \"A\" (USD) ACC","LU2506952170.USD":"BNP PARIBAS SUSTAINABLE GLOBAL LOW VOL EQUITY \"CRH\" (USDHDG) INC","LU1880398471.USD":"AMUNDI FUNDS GLOBAL EQUITY \"A2\" (USD) ACC","LU1880398554.USD":"AMUNDI FUNDS GLOBAL EQUITY \"A2\" (USD) INC","SG9999015952.SGD":"LIONGLOBAL DISRUPTIVE INNOVATION \"I\" (SGD) ACC","LU0792757196.USD":"TEMPLETON SHARIAH GLOBAL EQUITY FUND \"A\" (USD) ACC","LU1066051811.HKD":"HSBC GIF GLOBAL EQUITY VOLATILITY FOCUSED \"AM2\" (HKD) INC","LU2237443549.SGD":"Aberdeen Standard SICAV I - Global Dynamic Dividend A MIncA SGD-H","BK4535":"淡马锡持仓","IE00B3T34201.USD":"BNY MELLON GLOBAL EQUITY INCOME \"B\" (USD) INC","LU0950375773.USD":"BNP PARIBAS SUSTAINABLE GLOBAL LOW VOL EQUITY \"C\" (USD) INC A","LU0868494708.USD":"UBS (LUX) EQUITY SICAV - US TOTAL YIELD SUSTAINABLE \"P\" (USD) INC","BK4527":"明星科技股","BK4020":"通信设备","SG9999002232.USD":"Allianz Global High Payout USD","BK4588":"碎股","LU1861217088.USD":"贝莱德金融科技A2","LU1894683264.USD":"AMUNDI FUNDS US EQUITY RESEARCH VALUE \"A2\" (USD) ACC","LU1267930813.SGD":"FRANKLIN TEMPLETON SHARIAH GLOBAL EQUITY \"AS\" (SGD) ACC","IE00BZ1G4Q59.USD":"LEGG MASON CLEARBRIDGE US EQUITY SUSTAINABILITY LEADER \"A\"(USD) INC (A)","BK4551":"寇图资本持仓","LU1861220207.SGD":"Blackrock FinTech A2 SGD-H","LU0823417737.USD":"BNP PARIBAS SUSTAINABLE GLOBAL LOW VOL EQUITY \"C\" (USD) INC"},"translate_title":"朝鲜黑客使用新恶意软件瞄准加密货币招聘人员，能够从浏览器扩展中窃取凭据","themeId":null,"isJumpTheme":false,"ttsUrl":null,"symbols_score_info":{"COIN":1,"CSCO":1},"content_text":"BlockBeats News, June 20th, According to Decrypt's report, threat intelligence research firm Cisco Talos reported on Wednesday that North Korean hackers deployed a new Python Remote Access Trojan called \"PylangGhost\" targeting cryptocurrency professionals through a fake job interview posing as companies like Coinbase and Uniswap. The malware is associated with the North Korean-affiliated notorious hacking group \"Famous Chollima\" (also known as \"Wagemole\").The malware is capable of stealing credentials from over 80 browser extensions, including Metamask and 1Password, and achieves persistent remote access. The attack mainly targets Windows systems and macOS users, with Linux systems not currently affected by this wave of attacks.","kind":"highlight","is_publish_news":true,"is_publish_highlight":false,"is_publish_live":false,"is_publish_wemedia":null,"editions":null,"column":"","sentiment":"-1","news_tag":"","news_rank":0,"symbols":[],"gpt_button":0,"code":"91000000","status":"200"}}}