A North Korean-aligned threat actor group has developed a new Python-based remote access trojan called “PylangGhost,” representing a significant evolution in their attack capabilities. This malware shares functional similarities with the previously documented GolangGhost RAT and specifically targets employees with cryptocurrency and blockchain experience through sophisticated social engineering campaigns. The attacks primarily affect users in India, though the scope remains limited based on current intelligence, and demonstrate the threat actors’ continued focus on financial gain through both credential theft and fraudulent employment schemes.

The attack chain begins with fake job recruitment websites impersonating legitimate companies in the cryptocurrency sector, where victims are lured through skill-testing pages that eventually request camera access for video interviews. When users attempt to enable their cameras, they receive instructions to copy and paste malicious commands that allegedly install necessary video drivers. These commands download ZIP files containing the PylangGhost modules along with Visual Basic scripts that extract and execute the Python-based trojan. The malware establishes persistence through registry modifications and communicates with command and control servers using RC4 encryption over HTTP.

PylangGhost consists of six well-structured Python modules that mirror the functionality of its Golang counterpart, supporting commands for system information gathering, file operations, remote shell access, and extensive browser credential theft from over 80 extensions including cryptocurrency wallets and password managers. The threat actors deploy different variants based on the target’s operating system, using the Python version for Windows systems while maintaining the Golang variant for macOS users, with Linux systems currently excluded from these campaigns.

A new malware-as-a-service offering known as Amatera Stealer has recently emerged, positioning itself as a more advanced evolution of the earlier ACR Stealer. Priced up to $1,499 annually, the tool enables a wide range of threat actors to steal sensitive data from victims, including browser credentials, messaging app content, and password manager entries. Its rising popularity and technical sophistication make it a growing concern across multiple sectors.

Amatera is distributed through ClearFake web injection campaigns, in which legitimate websites are compromised to display fake CAPTCHA prompts. Victims are socially engineered to run a malicious command using a technique called ClickFix, which tricks them into opening a system dialog and pasting in attacker-supplied code. This launches a multi-stage infection process that uses obfuscation techniques, bypasses built-in security like AMSI (Anti-Malware Scan Interface), and injects malware into legitimate system processes. It also uses EtherHiding, a tactic where malicious code is hidden inside blockchain smart contracts to avoid detection.

Technically, Amatera is built to evade modern security tools. It uses NTSockets, a low-level communication method that avoids standard Windows networking libraries, making its traffic harder to detect. It also relies on WoW64 syscalls, a way to execute system-level code while bypassing user-mode monitoring. For command-and-control, it connects through Cloudflare infrastructure using spoofed headers that make its traffic appear legitimate. These evasion strategies, combined with its broad data theft capabilities and ability to deploy additional malware, make Amatera one of the most capable info-stealers currently in circulation.