North Korean Hackers Infiltrate Crypto Giants—Malware Disguised as Job Offers

Cyber warfare hits DeFi: State-sponsored attackers are weaponizing LinkedIn.

The bait: Fake job postings from top-tier crypto firms—complete with realistic offer letters and interview requests. The payload? A sophisticated malware suite that empties wallets before HR even schedules your first Zoom call.

The attack vector: Lazarus Group (yes, those guys) is now targeting C-suite executives with 'urgent career opportunities.' Because nothing screams 'promotion' like a backdoored PDF.

Why it works: Crypto's hiring frenzy makes vetting impossible—when your industry grows 200% annually, you'll interview anyone with a Metamask wallet and pulse.

The kicker: Some firms only detected breaches when their cold wallets got warmer... by moving to Pyongyang.

Meanwhile, traditional finance still thinks 'blockchain' is that thing you put around tires in winter.

The payload is hidden in a ZIP file that includes the renamed Python interpreter (nvidia.py), a Visual Basic script to unpack the archive, and six Core modules responsible for persistence, system fingerprinting, file transfer, remote shell access, and browser data theft.

The RAT pulls login credentials, session cookies, and wallet data from over 80 extensions, including MetaMask, Phantom, TronLink, and 1Password.

The command set allows full remote control of infected machines, including file uploads, downloads, system recon, and launching a shell — all routed through RC4-encrypted HTTP packets.

RC4-encrypted HTTP packets are data sent over the internet that are scrambled using an outdated encryption method called RC4. Even though the connection itself isn’t secure (HTTP), the data inside is encrypted, but not very well, since RC4 is outdated and easily broken by today’s standards.

Despite being a rewrite, the structure and naming conventions of PylangGhost mirror those of GolangGhost almost exactly, suggesting both were likely authored by the same operator, Cisco said.