Researchers from Sophos Counter Threat Unit (CTU) have uncovered ongoing activity attributed to a threat group, tracked as NICKEL ALLEY, believed to operate on behalf of the North Korean government. The group is targeting technology professionals using fake job opportunities and sophisticated social engineering techniques.
In the attacks, hackers create fraudulent LinkedIn company profiles to appear legitimate and often pair them with GitHub repositories used to deliver malicious code. Victims are invited to participate in fake job interviews, where they are asked to complete technical tasks.
Attackers use the ClickFix tactics to trick candidates into running a command on their own computer. The attacker-controlled website displays a fake error message, instructing the user to execute a fix. Instead of resolving an issue, the command installs malware.
The command downloads a compressed archive from a remote server into the system’s temporary (%TEMP%) directory. It then uses PowerShell’s Expand-Archive tool to extract the files. A VBScript is executed via wscript, which launches a renamed Python interpreter (csshost.exe) to run a malicious Python script (nvidia.py). This script initiates the PyLangGhost Remote Access Trojan (RAT) infection chain.
Once installed, PyLangGhost RAT allows attackers to steal files, execute commands remotely, and gather detailed system information. It also extracts browser credentials, cookies, and cryptocurrency wallet data, particularly targeting Chrome extensions.
PyLangGhost evolved from a Go-based version called GoLangGhost RAT, first seen in early 2025. By mid-2025, the malware had been rewritten in Python, making it more flexible and easier to modify.
The group also spreads malware through compromised npm packages and fake packages with names similar to legitimate ones (typosquatting).