Famous Chollima Deploying Python Version of GolangGhost RAT

    Thursday, June 19, 2025 In: Threat Research Print

    Date: 06/19/2025

    Severity: Medium

    Summary

    In May 2025, the North Korean-aligned threat actor Famous Chollima began deploying a Python-based version of their remote access trojan (RAT) called PylangGhost, which shares many capabilities with the previously known GolangGhost RAT. The Python RAT targets Windows systems, while the Golang version continues to target MacOS users. Recent campaigns focus on employees experienced in cryptocurrency and blockchain, primarily affecting a small number of users in India. Linux users are not targeted.

    Indicators of Compromise (IOC) List 

    URL/Domains

    http://31.57.243.29

    http://154.58.204.15

    http://212.81.47.217

    http://31.57.243.190

    http://31.57.243.29

    http://154.58.204.15

    http://212.81.47.217

    http://31.57.243.190

    api.quickcamfix.online

    api.auto-fixer.online

    api.quickdriverupdate.online

    api.camtuneup.online

    api.driversofthub.online

    api.drive-release.cloud

    api.vcamfixer.online

    api.nvidia-drive.cloud

    api.nvidia-release.us

    api.autodriverfix.online

    api.camdriversupport.com

    api.smartdriverfix.cloud

    api.drivercams.cloud

    api.camtechdrivers.com

    api.web-cam.cloud

    api.camera-drive.org

    api.nvidia-release.org

    krakenhire.com

    yuga.skillquestions.com

    uniswap.speakure.com

    doodles.skillquestions.com

    www.hireviavideo.com

    kraken.livehiringpro.com

    quiz-nest.com

    www.smartvideohire.com

    www.talent-hiringstep.com

    provevidskillcheck.com

    skill.vidintermaster.com

    digitaltalent.review

    robinhood.ecareerscan.com

    evalswift.com

    livetalentpro.com

    quantumnodespro.com

    evalassesso.com

    parallel.eskillora.com

    coinbase.talentmonitoringtool.com

    uniswap.testforhire.com

    coinbase.talenthiringtool.com

    crosstheages.skillence360.com

    parallel.eskillprov.com

    assesstrack.com

    talent-hiringtalk.com

    uniswap.prehireiq.com

    fast-video-recording.com

    api.fixdiskpro.online

    api.autocamfixer.online

    Hash

    a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a

    c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b

    0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec

    8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a

    5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e

    267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3

    7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32

    b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5

    fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225

    d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd

    b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee

    1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee

    ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e

    929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b

    127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780

    0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385

    c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6

    e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4

    28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df

    fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d

    d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "yuga.skillquestions.com" or siteurl like "yuga.skillquestions.com" or url like "yuga.skillquestions.com" or domainname like "api.driversofthub.online" or siteurl like "api.driversofthub.online" or url like "api.driversofthub.online" or domainname like "quantumnodespro.com" or siteurl like "quantumnodespro.com" or url like "quantumnodespro.com" or domainname like "api.nvidia-release.org" or siteurl like "api.nvidia-release.org" or url like "api.nvidia-release.org" or domainname like "provevidskillcheck.com" or siteurl like "provevidskillcheck.com" or url like "provevidskillcheck.com" or domainname like "www.hireviavideo.com" or siteurl like "www.hireviavideo.com" or url like "www.hireviavideo.com" or domainname like "http://212.81.47.217" or siteurl like "http://212.81.47.217" or url like "http://212.81.47.217" or domainname like "http://31.57.243.29" or siteurl like "http://31.57.243.29" or url like "http://31.57.243.29" or domainname like "skill.vidintermaster.com" or siteurl like "skill.vidintermaster.com" or url like "skill.vidintermaster.com" or domainname like "quiz-nest.com" or siteurl like "quiz-nest.com" or url like "quiz-nest.com" or domainname like "api.smartdriverfix.cloud" or siteurl like "api.smartdriverfix.cloud" or url like "api.smartdriverfix.cloud" or domainname like "evalassesso.com" or siteurl like "evalassesso.com" or url like "evalassesso.com" or domainname like "api.vcamfixer.online" or siteurl like "api.vcamfixer.online" or url like "api.vcamfixer.online" or domainname like "http://154.58.204.15" or siteurl like "http://154.58.204.15" or url like "http://154.58.204.15" or domainname like "parallel.eskillprov.com" or siteurl like "parallel.eskillprov.com" or url like "parallel.eskillprov.com" or domainname like "api.camdriversupport.com" or siteurl like "api.camdriversupport.com" or url like "api.camdriversupport.com" or domainname like "api.drivercams.cloud" or siteurl like "api.drivercams.cloud" or url like "api.drivercams.cloud" or domainname like "doodles.skillquestions.com" or siteurl like "doodles.skillquestions.com" or url like "doodles.skillquestions.com" or domainname like "http://31.57.243.190" or siteurl like "http://31.57.243.190" or url like "http://31.57.243.190" or domainname like "api.drive-release.cloud" or siteurl like "api.drive-release.cloud" or url like "api.drive-release.cloud" or domainname like "api.autodriverfix.online" or siteurl like "api.autodriverfix.online" or url like "api.autodriverfix.online" or domainname like "api.quickcamfix.online" or siteurl like "api.quickcamfix.online" or url like "api.quickcamfix.online" or domainname like "robinhood.ecareerscan.com" or siteurl like "robinhood.ecareerscan.com" or url like "robinhood.ecareerscan.com" or domainname like "crosstheages.skillence360.com" or siteurl like "crosstheages.skillence360.com" or url like "crosstheages.skillence360.com"

    Detection Query 2 : 

    domainname like "digitaltalent.review" or siteurl like "digitaltalent.review" or url like "digitaltalent.review" or domainname like "api.camera-drive.org" or siteurl like "api.camera-drive.org" or url like "api.camera-drive.org" or domainname like "kraken.livehiringpro.com" or siteurl like "kraken.livehiringpro.com" or url like "kraken.livehiringpro.com" or domainname like "parallel.eskillora.com" or siteurl like "parallel.eskillora.com" or url like "parallel.eskillora.com" or domainname like "api.camtuneup.online" or siteurl like "api.camtuneup.online" or url like "api.camtuneup.online" or domainname like "http://31.57.243.29" or siteurl like "http://31.57.243.29" or url like "http://31.57.243.29" or domainname like "api.auto-fixer.online" or siteurl like "api.auto-fixer.online" or url like "api.auto-fixer.online" or domainname like "api.quickdriverupdate.online" or siteurl like "api.quickdriverupdate.online" or url like "api.quickdriverupdate.online" or domainname like "api.nvidia-drive.cloud" or siteurl like "api.nvidia-drive.cloud" or url like "api.nvidia-drive.cloud" or domainname like "api.nvidia-release.us" or siteurl like "api.nvidia-release.us" or url like "api.nvidia-release.us" or domainname like "api.camtechdrivers.com" or siteurl like "api.camtechdrivers.com" or url like "api.camtechdrivers.com" or domainname like "api.web-cam.cloud" or siteurl like "api.web-cam.cloud" or url like "api.web-cam.cloud" or domainname like "krakenhire.com" or siteurl like "krakenhire.com" or url like "krakenhire.com" or domainname like "uniswap.speakure.com" or siteurl like "uniswap.speakure.com" or url like "uniswap.speakure.com" or domainname like "www.smartvideohire.com" or siteurl like "www.smartvideohire.com" or url like "www.smartvideohire.com" or domainname like "www.talent-hiringstep.com" or siteurl like "www.talent-hiringstep.com" or url like "www.talent-hiringstep.com" or domainname like "evalswift.com" or siteurl like "evalswift.com" or url like "evalswift.com" or domainname like "livetalentpro.com" or siteurl like "livetalentpro.com" or url like "livetalentpro.com" or domainname like "coinbase.talentmonitoringtool.com" or siteurl like "coinbase.talentmonitoringtool.com" or url like "coinbase.talentmonitoringtool.com" or domainname like "uniswap.testforhire.com" or siteurl like "uniswap.testforhire.com" or url like "uniswap.testforhire.com" or domainname like "coinbase.talenthiringtool.com" or siteurl like "coinbase.talenthiringtool.com" or url like "coinbase.talenthiringtool.com" or domainname like "assesstrack.com" or siteurl like "assesstrack.com" or url like "assesstrack.com" or domainname like "talent-hiringtalk.com" or siteurl like "talent-hiringtalk.com" or url like "talent-hiringtalk.com" or domainname like "uniswap.prehireiq.com" or siteurl like "uniswap.prehireiq.com" or url like "uniswap.prehireiq.com" or domainname like "fast-video-recording.com" or siteurl like "fast-video-recording.com" or url like "fast-video-recording.com" or domainname like "api.fixdiskpro.online" or siteurl like "api.fixdiskpro.online" or url like "api.fixdiskpro.online" or domainname like "api.autocamfixer.online" or siteurl like "api.autocamfixer.online" or url like "api.autocamfixer.online"

    Detection Query 3 :

    sha256hash IN ("7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32","d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd","0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385","267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3","1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee","c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6","28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df","b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5","b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee","e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4","ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e","c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b","a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a","5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e","0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec","8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a","fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225","929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b","127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780","fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d","d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd")

    Reference:

    https://blog.talosintelligence.com/python-version-of-golangghost-rat/


    Tags

    MalwareThreat ActorGolangGhost RATPylangGhost RATRATNorth KoreanChollimaPythoncryptocurrency

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.