\n* In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities.
* In recent campaigns, the threat actor _Famous Chollima_ — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns.
* The attacks are targeting employees with experience in cryptocurrency and blockchain technologies.
* Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users.<\/p>\n
* * *<\/p>\n
<\/p>\n
Since mid-2024, the threat actor group _Famous Chollima (aka Wagemole)_, a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.<\/p>\n
Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns.<\/p>\n
In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.”<\/p>\n
## Fake job interview sites mislead users to PylangGhost infection<\/p>\n
Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.<\/p>\n
This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application.<\/p>\n
Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.<\/p>\n
Figure 1. Examples of initial fake job sites.<\/p>\n
Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.<\/p>\n
 __Figure 2. Example of questions asked for an illegitimate Business Development Manager position at Robinhood.__<\/p>\n
Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button.<\/p>\n
 __Figure 3. A camera setup page displayed once questions are answered.__<\/p>\n
Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.<\/p>\n
Figure 4. Windows instructions to copy, paste and execute a malicious command. Figure 5. MacOS instructions to copy, paste and execute a malicious command.<\/p>\n
Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.<\/p>\n
__Figure 6. Command Shell, PowerShell or Bash instructions to download a payload.__<\/p>\n
## PylangGhost – Python variant of GolangGhost<\/p>\n
As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute.<\/p>\n
The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run.<\/p>\n
Figure 7. The first stage simply unzips a Python distribution library and launches the RAT.<\/p>\n
PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable.<\/p>\n
The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.<\/p>\n
 __Figure 8. “nvidia.py” executes the main loop for communication with the C2 server__<\/p>\n
The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.<\/p>\n
The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.<\/p>\n
Command | Functionality
—|—
qwer | COMMAND_INFORMATION – collect information about the infected system, username, OS version etc
asdf | COMMAND_FILE_UPLOAD – file upload
zxcv | COMMAND_FILE_DOWNLOAD – file download
vbcx | COMMAND_OS_SHELL – launch an OS shell for remote access and control of the infected system
ghdj | COMMAND_WAIT – sleep for a number of seconds specified by the C2 server
r4ys | COMMAND_AUTO \\- browser information stealing command
89io | AUTO_CHROME_GATHER_COMMAND – subcommand of the browser information stealer command
gi%# | AUTO_CHROME_COOKIE_COMMAND – subcommand of the browser information stealer command
dghh | COMMAND_EXIT <\/p>\n
_Table 1. Commands and functionalities._<\/p>\n
The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.<\/p>\n
“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.<\/p>\n
Finally, “util.py” handles the compression and decompression of files.<\/p>\n
## Comparison of Python and Golang modules<\/p>\n
To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.<\/p>\n
Module | Python name | Golang name
—|—|—
Main function module | nvidia.py | cloudfixer.go
Configuration module | config.py | config\/constans.go
Main command loop | nvidia.py | core\/loop.go
Command handlers | command.py | core\/loop.go
Browser Stealer functionality | auto.py | auto\/* modules
File compression | util.py | util\/compress.go
Base64 message encoding | command.py | command\/stackcmd.go
Duplicate process check | nvidia.py | instance\/check.go
Communications protocol | api.py | transport\/htxp.go <\/p>\n
_Table 2. Comparison of Python and Golang RAT module names. _<\/p>\n
## Coverage<\/p>\n
Ways our customers can detect and block this threat are listed below.<\/p>\n
<\/p>\n
_Cisco Secure Endpoint_ (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free _here._<\/p>\n
_Cisco Secure Email_ (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free _here_.<\/p>\n
_Cisco Secure Firewall_ (formerly Next-Generation Firewall and Firepower NGFW) appliances such as _Threat Defense Virtual_, _Adaptive Security Appliance_ and _Meraki MX_ can detect malicious activity associated with this threat.<\/p>\n
_Cisco Secure Network\/Cloud Analytics_ (Stealthwatch\/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.<\/p>\n
_Cisco Secure Malware Analytics_ (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.<\/p>\n
_Cisco Secure Access_ is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.<\/p>\n
_Umbrella_, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.<\/p>\n
_Cisco Secure Web Appliance_ (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.<\/p>\n
Additional protections with context to your specific environment and threat data are available from the _Firewall Management Center_.<\/p>\n
_Cisco Duo_ provides multi-factor authentication for users to ensure only those authorized are accessing your network.<\/p>\n
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on _Snort.org_.<\/p>\n
ClamAV detections available for this threat:<\/p>\n
Win.Backdoor.PyChollima-10045389-0
Win.Backdoor.PyChollima-10045388-0
Win.Backdoor.PyChollima-10045387-0
Win.Backdoor.PyChollima-10045386-0
Win.Backdoor.PyChollima-10045385-0
Win.Backdoor.PyChollima-10045384-0<\/p>\n
## IOCs<\/p>\n
The IOCs can also be found in our GitHub repository here.<\/p>\n
#### SHA256 __<\/p>\n
a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a – auto.py\u00a0\u00a0
c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b – auto.py\u00a0\u00a0
0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec – api.py\u00a0
8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a – api.py\u00a0
5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e – nvidia.py\u00a0
267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 – nvidia.py\u00a0
7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 – nvidia.py\u00a0
b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 – util.py\u00a0
fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 – util.py\u00a0
d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd – command.py\u00a0
b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee – command.py\u00a0
1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee – config.py\u00a0
ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e – config.py\u00a0
929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b – config.py\u00a0
127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 – config.py\u00a0
0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 – update.vbs\u00a0
c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 – update.vbs\u00a0
e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 – nvidiaRelease.zip\u00a0
28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df – vdriverWin.zip\u00a0
fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d – nvidiaRelease.zip\u00a0
d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd – nvidiaRelease.zip\u00a0<\/p>\n
#### C2 servers __<\/p>\n
hxxp[:\/\/]31[.]57[.]243[.]29:8080\u00a0
hxxp[:\/\/]154[.]58[.]204[.]15:8080\u00a0
hxxp[:\/\/]212[.]81[.]47[.]217:8080\u00a0
hxxp[:\/\/] 31[.]57[.]243[.]190:8080<\/p>\n
#### Download host names __<\/p>\n
api[.]quickcamfix[.]online\u00a0\u00a0\u00a0
api[.]auto-fixer[.]online\u00a0\u00a0\u00a0
api[.]quickdriverupdate[.]online\u00a0\u00a0\u00a0
api[.]camtuneup[.]online\u00a0\u00a0\u00a0
api[.]driversofthub[.]online\u00a0\u00a0\u00a0
api[.]drive-release[.]cloud\u00a0\u00a0\u00a0
api[.]vcamfixer[.]online\u00a0\u00a0\u00a0
api[.]nvidia-drive[.]cloud\u00a0\u00a0\u00a0
api[.]nvidia-release[.]us\u00a0\u00a0\u00a0
api[.]autodriverfix[.]online\u00a0\u00a0\u00a0
api[.]camdriversupport[.]com\u00a0\u00a0\u00a0
api[.]smartdriverfix[.]cloud\u00a0\u00a0\u00a0
api[.]drivercams[.]cloud\u00a0\u00a0\u00a0
api[.]camtechdrivers[.]com\u00a0\u00a0\u00a0
api[.]web-cam[.]cloud\u00a0\u00a0\u00a0
api[.]camera-drive[.]org\u00a0\u00a0\u00a0
api[.]nvidia-release[.]org\u00a0
api[.]fixdiskpro[.]online\u00a0
api[.]autocamfixer[.]online<\/p>\n
#### Fake job interview host names __<\/p>\n
#### <\/p>\n
krakenhire[.]com\u00a0\u00a0
yuga[.]skillquestions[.]com\u00a0\u00a0
uniswap[.]speakure[.]com\u00a0\u00a0
doodles[.]skillquestions[.]com\u00a0\u00a0
www[.]hireviavideo[.]com\u00a0\u00a0
kraken[.]livehiringpro[.]com\u00a0\u00a0
quiz-nest[.]com\u00a0\u00a0
www[.]smartvideohire[.]com\u00a0\u00a0
www[.]talent-hiringstep[.]com\u00a0\u00a0
provevidskillcheck[.]com\u00a0\u00a0
skill[.]vidintermaster[.]com\u00a0\u00a0
digitaltalent[.]review\u00a0\u00a0
robinhood[.]ecareerscan[.]com\u00a0\u00a0
evalswift[.]com\u00a0\u00a0
livetalentpro[.]com\u00a0\u00a0
quantumnodespro[.]com\u00a0\u00a0
evalassesso[.]com\u00a0\u00a0
parallel[.]eskillora[.]com\u00a0\u00a0
coinbase[.]talentmonitoringtool[.]com\u00a0\u00a0
uniswap[.]testforhire[.]com\u00a0\u00a0
coinbase[.]talenthiringtool[.]com\u00a0\u00a0
crosstheages[.]skillence360[.]com\u00a0
parallel [.] eskillprov [.] com\u00a0
assesstrack [.] com\u00a0
coinbase [.] talentmonitoringtool [.] com\u00a0
talent-hiringtalk[.]com\u00a0
uniswap[.]prehireiq[.]com\u00a0
fast-video-recording[.]com\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Famous Chollima deploying Python version of GolangGhost RAT Update ID TALOSBLOG:9AD0D911B5B851CCE8C8429BC9427AA5 Type talosblog Published 2025-06-18T10:00:44 Last Updated 2025-06-18T10:00:44 Security…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,7,69,11,5],"class_list":["post-7011","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Famous Chollima deploying Python version of GolangGhost RAT - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=7011\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Famous Chollima deploying Python version of GolangGhost RAT - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Famous Chollima deploying Python version of GolangGhost RAT Update ID TALOSBLOG:9AD0D911B5B851CCE8C8429BC9427AA5 Type talosblog Published 2025-06-18T10:00:44 Last Updated 2025-06-18T10:00:44 Security...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=7011\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-18T07:35:40+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7011#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7011\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Famous Chollima deploying Python version of GolangGhost RAT\",\"datePublished\":\"2025-06-18T07:35:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7011\"},\"wordCount\":2546,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"Security\",\"talosblog\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7011#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7011\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7011\",\"name\":\"Famous Chollima deploying Python version of GolangGhost RAT - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-06-18T07:35:40+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7011#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7011\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7011#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Famous Chollima deploying Python version of GolangGhost RAT\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Famous Chollima deploying Python version of GolangGhost RAT - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=7011","og_locale":"en_US","og_type":"article","og_title":"Famous Chollima deploying Python version of GolangGhost RAT - zero redgem","og_description":"Security Update News Update Information Title Famous Chollima deploying Python version of GolangGhost RAT Update ID TALOSBLOG:9AD0D911B5B851CCE8C8429BC9427AA5 Type talosblog Published 2025-06-18T10:00:44 Last Updated 2025-06-18T10:00:44 Security...","og_url":"https:\/\/zero.redgem.net\/?p=7011","og_site_name":"zero redgem","article_published_time":"2025-06-18T07:35:40+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=7011#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=7011"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Famous Chollima deploying Python version of GolangGhost RAT","datePublished":"2025-06-18T07:35:40+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=7011"},"wordCount":2546,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","Security","talosblog","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=7011#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=7011","url":"https:\/\/zero.redgem.net\/?p=7011","name":"Famous Chollima deploying Python version of GolangGhost RAT - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-06-18T07:35:40+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=7011#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=7011"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=7011#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Famous Chollima deploying Python version of GolangGhost RAT"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7011"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7011\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}