Indian Crypto Job Seekers Are Facing New Malware Threat From Lazarus

North Korean state-linked hackers are targeting cryptocurrency professionals in India with a new and highly targeted malware campaign, according to cybersecurity firm Cisco Talos. The attackers, identified as a group known as Famous Chollima, are using fake job interviews and fraudulent skill-testing websites to infect users’ devices with a new Python-based Remote Access Trojan (RAT) dubbed PylangGhost.

This operation, active since mid-2024, marks the latest chapter in North Korea’s widening crypto espionage efforts. Cisco Talos researchers revealed that the attackers are posing as recruiters for high-profile crypto firms such as Coinbase, Uniswap, Robinhood, and Archblock. Their primary targets: software engineers, marketing professionals, and other specialists in blockchain and digital assets.

Job Lures and Fake Interviews

The campaign begins with social engineering. Victims are contacted by supposed recruiters and invited to visit convincing replicas of legitimate company career pages. These sites feature skill-assessment tests and request sensitive information such as full names, resumes, wallet addresses, and credentials.

Candidates are then instructed to enable camera and microphone access for a video interview. During this phase, the fake recruiters ask victims to run certain commands—disguised as video driver installations—which trigger the installation of the PylangGhost malware.

Cisco Talos confirmed the RAT gives hackers full remote control of infected systems and is capable of stealing credentials and cookies from over 80 browser extensions. These include widely-used password managers and cryptocurrency wallets like MetaMask, 1Password, NordPass, Phantom, TronLink, and MultiverseX.

Advanced Malware with Persistent Access

PylangGhost is a Python-based evolution of a previously known threat called GolangGhost. The new variant targets Windows systems exclusively, and is designed to exfiltrate data and maintain persistent access to compromised machines. Linux systems, according to Cisco Talos, appear to be untouched in this wave of attacks.

The malware can execute a wide range of commands: taking screenshots, harvesting system details, managing files, and establishing continuous remote control. It operates via multiple command-and-control servers registered under domains that appear credible, like quickcamfix.online or autodriverfix.online.

Unlike earlier scams, this campaign does not focus on mass phishing or direct theft from exchanges. Instead, it’s a surgical strike aimed at professionals inside the crypto sector, those with access to key infrastructure, internal tools, and sensitive data.

India: A High-Value Target

India, one of the fastest-growing hubs for blockchain development, has become a primary target. Many professionals working on global crypto platforms are based in the country, and this new strategy plays directly into that talent concentration.

According to Dileep Kumar H V, director at Digital South Trust, India needs urgent reforms to deal with this type of threat. He called for mandatory cybersecurity audits for blockchain firms, enhanced monitoring of fake job portals, and legal reforms under India’s IT Act.

He also urged government agencies such as CERT-In, MEITY, and NCIIPC to step up collaboration and launch public awareness campaigns, as well as share intelligence with other jurisdictions.

A Growing Pattern of Digital Espionage

Fake job offers have become a consistent tool in North Korean cyber playbooks. The Lazarus Group, another North Korean-linked hacker collective, used a similar tactic earlier in 2024. They created fake U.S.-based companies like BlockNovas LLC and SoftGlide LLC to lure crypto developers into malware-laden interviews.

In one incident, Lazarus hackers posed as former contractors to breach Radiant Capital, leading to a $50 million loss. A joint statement from Japan, South Korea, and the U.S. recently confirmed that North Korea-linked groups stole $659 million in crypto in 2024 alone.

These campaigns are not just about theft. They are increasingly aimed at gathering intelligence and infiltrating crypto firms from the inside. The ultimate goal appears to be both financial gain and strategic control over blockchain systems and data.

Countermeasures and the Road Ahead

The Cisco Talos report is a wake-up call for professionals in the crypto sector. The firm advises heightened vigilance during the job search process, especially when engaging with new platforms, unfamiliar recruiters, or unknown URLs.

Professionals are advised to:

• Avoid installing software or running commands during job interviews.
• Verify the legitimacy of companies and recruiters.
• Use endpoint protection and anti-malware tools.
• Regularly update passwords and enable two-factor authentication.

Companies should also tighten internal controls and ensure staff are trained to spot and report social engineering attempts.