Lazarus Hackers Use Fake Camera/Microphone Alerts to Deploy PyLangGhost RAT

North Korean state-sponsored threat actors associated with the Lazarus Group, specifically the subgroup known as Famous Chollima, have evolved their tactics by deploying a new Python-based remote access trojan (RAT) dubbed PyLangGhost.

This malware represents a reimplementation of the earlier GoLangGhost RAT, exhibiting code structures indicative of AI-assisted porting, including Go-like logic patterns and extensive commented-out sections.

Unlike traditional malware dissemination via pirated software or USB drives, PyLangGhost RAT leverages highly targeted “ClickFix” social engineering campaigns, primarily aimed at developers and executives in the technology, finance, and cryptocurrency sectors.

Social Engineering in Targeted Attacks

In these operations, adversaries orchestrate fake job interviews or business calls, simulating browser errors that block camera or microphone access.

According to the Any.Run report, victims are prompted to execute a purported fix script, which in reality grants remote operators full system control.

This technique was recently documented by researcher Heiner García Pérez of BlockOSINT, who encountered it during a simulated recruitment for the Aave DeFi Protocol.

The attack begins with a deceptive error message, such as a “Race Condition in Windows Camera Discovery Cache,” instructing the user to run a command that downloads and executes malicious payloads.

The delivery mechanism involves a curl command fetching a ZIP file from a suspicious domain, extracting it via PowerShell’s Expand-Archive, and launching a VBScript (update.vbs) that decompresses a clean Python environment bundled in Lib.zip.

This environment includes a renamed python.exe as csshost.exe, which executes the core nvidia.py loader.

The malware’s modular architecture comprises config.py for defining command codes, C2 servers, and targeted Chrome extensions like MetaMask and Phantom; api.py for RC4-encrypted packet construction and MD5 checksums over non-TLS HTTP; and command.py for dispatching instructions, including system reconnaissance, file uploads/downloads, reverse shells, and credential exfiltration.

Auxiliary modules util.py handles in-memory compression/decompression with tar.gz, while auto.py focuses on harvesting cryptocurrency wallet data and Chrome-stored credentials, employing privilege escalation via deceptive UAC prompts mimicking “python.exe” to access DPAPI-protected encryption keys.

Business Implications

PyLangGhost RAT establishes persistence through registry keys and a .store mutex file, ensuring single-instance execution, and communicates with C2 infrastructure using raw IP addresses with weak RC4/MD5 obfuscation.

It supports commands for gathering system info, file operations, terminal sessions, and automated theft modes that compress and exfiltrate browser profiles into gather.tar.gz archives.

For credential dumping, it impersonates lsass.exe to gain SYSTEM privileges, decrypting AES-GCM blobs from Chrome’s Local State and Login Data SQLite databases, handling both v10 DPAPI keys and v20 app-bound variants with CNG API decryption.

Behavioral analysis reveals default python-requests User-Agents and rapid C2 requests as detection indicators, though initial VirusTotal scores remain low (0-3 detections), contrasting with high-confidence flagging in sandboxes.

This RAT’s TTPs align with MITRE ATT&CK, including T1036 masquerading, T1059 scripting interpreters, T1083 file discovery, and T1012 registry queries, posing severe risks like financial losses from wallet compromises, data breaches, operational disruptions, and regulatory penalties.

Defenses emphasize behavior-based sandboxes for early detection, employee training against unverified commands, privilege restrictions, anomalous traffic monitoring, and browser hardening.

Indicator of Compromise (IoCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free