Famous Chollima deploying Python version of GolangGhost RAT

In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call "PylangGhost," used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities. In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns. The attacks are targeting employees with experience in cryptocurrency and blockchain technologies. Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users. Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage. Toward the end of the year, researchers documented Famous Chollima's remote access trojan (RAT) called "GolangGhost" in its source…Read More