PyLangGhost RAT: Rising Data Stealer from Lazarus Group Targeting Finance and Technology
Contents
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.
North Korean state-sponsored groups, such as Lazarus, continue to target the financial and cryptocurrency sectors with a variety of custom malware families. In previous research, we examined strains like InvisibleFerret, Beavertail, and OtterCookie, often deployed through fake developer job interviews or staged business calls with executives. While these have been the usual suspects, a newer Lazarus subgroup, Famous Chollima, has recently introduced a fresh threat: PyLangGhost RAT, a Python-based evolution of GoLangGhostRAT.
Unlike common malware that spreads through pirated software or infected USB drives, PyLangGhost RAT is delivered via highly targeted social engineering campaigns aimed at the technology, finance, and crypto industries, with developers and executives as prime victims. In these attacks, adversaries stage fake job interviews and trick their targets into believing that their browser is blocking access …
North Korean state-sponsored groups, such as Lazarus, continue to target the financial and cryptocurrency sectors with a variety of custom malware families. In previous research, we examined strains like InvisibleFerret, Beavertail, and OtterCookie, often deployed through fake developer job interviews or staged business calls with executives. While these have been the usual suspects, a newer Lazarus subgroup, Famous Chollima, has recently introduced a fresh threat: PyLangGhost RAT, a Python-based evolution of GoLangGhostRAT.
Unlike common malware that spreads through pirated software or infected USB drives, PyLangGhost RAT is delivered via highly targeted social engineering campaigns aimed at the technology, finance, and crypto industries, with developers and executives as prime victims. In these attacks, adversaries stage fake job interviews and trick their targets into believing that their browser is blocking access …
IoC
http://151.243.101.229:8080/
http://151.243.101.229
http://13.107.246.45
http://360scanner.store
https://360scanner.store/cam-v-b74si.fix
13.107.246.45
151.243.101.229
a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940
c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb
c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45
ef04a839f60911a5df2408aebd6d9af432229d95b4814132ee589f178005c72f
bb794019f8a63966e4a16063dc785fafe8a5f7c7553bcd3da661c7054c6674c7
http://151.243.101.229
http://13.107.246.45
http://360scanner.store
https://360scanner.store/cam-v-b74si.fix
13.107.246.45
151.243.101.229
a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940
c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb
c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45
ef04a839f60911a5df2408aebd6d9af432229d95b4814132ee589f178005c72f
bb794019f8a63966e4a16063dc785fafe8a5f7c7553bcd3da661c7054c6674c7