North Korean Hackers Infiltrate Crypto Giants—Malware Disguised as Job Offers

Lazarus Group strikes again—this time weaponizing LinkedIn DMs and fake job postings to breach crypto's biggest players.

How they're doing it: Malware-laden PDFs posing as 'urgent hiring documents' bypass enterprise filters. Once opened, the payload establishes persistent access to corporate networks.

Target profile: C-suite recruiters at exchanges, DeFi protocols, and custody providers. Three Fortune 500 crypto firms already compromised (because apparently cybersecurity budgets don't moon with token prices).

Why it matters: These aren't smash-and-grab attacks—the hackers are planting backdoors for long-term asset diversion. Last year's $3B crypto heists just got a software upgrade.

Bottom line: When your 'dream job offer' comes with a side of ransomware, maybe stick to farming airdrops.

The payload is hidden in a ZIP file that includes the renamed Python interpreter (nvidia.py), a Visual Basic script to unpack the archive, and six Core modules responsible for persistence, system fingerprinting, file transfer, remote shell access, and browser data theft.

The RAT pulls login credentials, session cookies, and wallet data from over 80 extensions, including MetaMask, Phantom, TronLink, and 1Password.

The command set allows full remote control of infected machines, including file uploads, downloads, system recon, and launching a shell — all routed through RC4-encrypted HTTP packets.

RC4-encrypted HTTP packets are data sent over the internet that are scrambled using an outdated encryption method called RC4. Even though the connection itself isn’t secure (HTTP), the data inside is encrypted, but not very well, since RC4 is outdated and easily broken by today’s standards.

Despite being a rewrite, the structure and naming conventions of PylangGhost mirror those of GolangGhost almost exactly, suggesting both were likely authored by the same operator, Cisco said.