Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India.

Wednesday, June 18, 2025 06:00

*   In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities. 
*   In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns. 
*   The attacks are targeting employees with experience in cryptocurrency and blockchain technologies. 
*   Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users. 

Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.  

Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns. 

In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.” 

**Fake job interview sites mislead users to PylangGhost infection **

Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.  

This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application. 

Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.  

Figure 1. Examples of initial fake job sites.

Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.  

__Figure 2. Example of questions asked for an illegitimate Business Development Manager position at Robinhood.__

Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button. 

__Figure 3. A camera setup page displayed once questions are answered.__

Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.  

Figure 4. Windows instructions to copy, paste and execute a malicious command. 

Figure 5. MacOS instructions to copy, paste and execute a malicious command. 

Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.

__Figure 6. Command Shell, PowerShell or Bash instructions to download a payload.__

**PylangGhost - Python variant of GolangGhost **

As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute. 

The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run. 

Figure 7. The first stage simply unzips a Python distribution library and launches the RAT. 

 PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable. 

 The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.  

__Figure 8. ”nvidia.py” executes the main loop for communication with the C2 server__

 The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX. 

The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.  

Command 

Functionality 

qwer 

COMMAND\_INFORMATION - collect information about the infected system, username, OS version etc 

asdf 

COMMAND\_FILE\_UPLOAD - file upload 

zxcv 

COMMAND\_FILE\_DOWNLOAD - file download 

vbcx 

COMMAND\_OS\_SHELL - launch an OS shell for remote access and control of the infected system 

ghdj 

COMMAND\_WAIT - sleep for a number of seconds specified by the C2 server 

r4ys 

COMMAND\_AUTO - browser information stealing command 

89io 

AUTO\_CHROME\_GATHER\_COMMAND - subcommand of the browser information stealer command 

gi%# 

AUTO\_CHROME\_COOKIE\_COMMAND - subcommand of the browser information stealer command 

dghh 

COMMAND\_EXIT 

_Table 1. Commands and functionalities._

The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.  

“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.  

Finally, “util.py” handles the compression and decompression of files. 

**Comparison of Python and Golang modules **

To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.   

Module 

Python name 

Golang name 

Main function module 

nvidia.py 

cloudfixer.go 

Configuration module 

config.py 

config/constans.go 

Main command loop 

nvidia.py 

core/loop.go 

Command handlers 

command.py 

core/loop.go 

Browser Stealer functionality 

auto.py 

auto/\* modules 

File compression 

util.py 

util/compress.go 

Base64 message encoding 

command.py 

command/stackcmd.go 

Duplicate process check 

nvidia.py 

instance/check.go 

Communications protocol 

api.py 

transport/htxp.go 

_Table 2. Comparison of Python and Golang RAT module names._ 

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections available for this threat:

Win.Backdoor.PyChollima-10045389-0
Win.Backdoor.PyChollima-10045388-0
Win.Backdoor.PyChollima-10045387-0
Win.Backdoor.PyChollima-10045386-0
Win.Backdoor.PyChollima-10045385-0
Win.Backdoor.PyChollima-10045384-0

**IOCs **

The IOCs can also be found in our GitHub repository here.

**SHA256 **

a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py  
c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py  
0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py 
8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py 
5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py 
267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py 
7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py 
b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py 
fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py 
d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py 
b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee - command.py 
1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee - config.py 
ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e - config.py 
929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b - config.py 
127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 - config.py 
0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 - update.vbs 
c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 - update.vbs 
e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 - nvidiaRelease.zip 
28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df - vdriverWin.zip 
fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d - nvidiaRelease.zip 
d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd - nvidiaRelease.zip 

**C2 servers **

hxxp\[://\]31\[.\]57\[.\]243\[.\]29:8080 
hxxp\[://\]154\[.\]58\[.\]204\[.\]15:8080 
hxxp\[://\]212\[.\]81\[.\]47\[.\]217:8080 
hxxp\[://\] 31\[.\]57\[.\]243\[.\]190:8080

**Download host names **

api\[.\]quickcamfix\[.\]online   
api\[.\]auto-fixer\[.\]online   
api\[.\]quickdriverupdate\[.\]online   
api\[.\]camtuneup\[.\]online   
api\[.\]driversofthub\[.\]online   
api\[.\]drive-release\[.\]cloud   
api\[.\]vcamfixer\[.\]online   
api\[.\]nvidia-drive\[.\]cloud   
api\[.\]nvidia-release\[.\]us   
api\[.\]autodriverfix\[.\]online   
api\[.\]camdriversupport\[.\]com   
api\[.\]smartdriverfix\[.\]cloud   
api\[.\]drivercams\[.\]cloud   
api\[.\]camtechdrivers\[.\]com   
api\[.\]web-cam\[.\]cloud   
api\[.\]camera-drive\[.\]org   
api\[.\]nvidia-release\[.\]org 
api\[.\]fixdiskpro\[.\]online 
api\[.\]autocamfixer\[.\]online

**Fake job interview host names **

krakenhire\[.\]com  
yuga\[.\]skillquestions\[.\]com  
uniswap\[.\]speakure\[.\]com  
doodles\[.\]skillquestions\[.\]com  
www\[.\]hireviavideo\[.\]com  
kraken\[.\]livehiringpro\[.\]com  
quiz-nest\[.\]com  
www\[.\]smartvideohire\[.\]com  
www\[.\]talent-hiringstep\[.\]com  
provevidskillcheck\[.\]com  
skill\[.\]vidintermaster\[.\]com  
digitaltalent\[.\]review  
robinhood\[.\]ecareerscan\[.\]com  
evalswift\[.\]com  
livetalentpro\[.\]com  
quantumnodespro\[.\]com  
evalassesso\[.\]com  
parallel\[.\]eskillora\[.\]com  
coinbase\[.\]talentmonitoringtool\[.\]com  
uniswap\[.\]testforhire\[.\]com  
coinbase\[.\]talenthiringtool\[.\]com  
crosstheages\[.\]skillence360\[.\]com 
parallel \[.\] eskillprov \[.\] com 
assesstrack \[.\] com 
coinbase \[.\] talentmonitoringtool \[.\] com 
talent-hiringtalk\[.\]com 
uniswap\[.\]prehireiq\[.\]com 
fast-video-recording\[.\]com

Famous Chollima deploying Python version of GolangGhost RAT

These five communication channels are favored by scammers to try and trick victims at least once a week—if not more.

Scammers love your smartphone.

They can text you fraudulent tracking links for packages you never bought. They can profess their empty love to you across your social media apps. They can bombard your email inbox with phishing attempts, impersonate a family member through a phone call, and even trick you into visiting malicious versions of legitimate websites.

But, according to new research from Malwarebytes, while scammers can reach people through just about any modern method of communication, they have at least five favored tracts for finding new victims—emails, phone calls and voicemails, malicious websites, social media platforms, and text messages. It’s here that people are most likely to find phishing attempts, romance scams, sextortion threats, and more, and it’s here that everyday people should stay most cautious when receiving messages from unknown senders or in responding to allegedly urgent requests for money or information.

For this research, Malwarebytes surveyed 1,300 people over the age of 18 in the US, UK, Austria, Germany, and Switzerland, asking about the frequency, type, impact, and consequences of any scams they found on their smartphones. Capturing just how aggravating today’s online world is, a full 78% of people said they encountered or received a scam on their smartphone at least once a week.

Here are the top five places that people actually encountered those weekly scams:

*   65% of people encountered a scam at least once a week through their **email**
*   53% encountered a scam at least once a week through **phone calls and voicemails**
*   50% encountered a scam at least once a week through **text messages (SMS)**
*   49% encountered a scam at least once a week through **malicious websites**
*   47% encountered a scam at least once a week through **social media platforms**

Unfortunately, scam prevention cannot fixate on only these five channels, as scammers change their tactics based on how they’re trying to trick their victims. For instance, though people were least likely to encounter a scam once a week through a buying or selling platform like Facebook Marketplace or Craigslist (36%), such platforms were of course the most likely place for scam _victims_ to have their credit card details and passwords stolen by a scammer masquerading as a legitimate business.

The noise from such daily strife has become deeply confusing, as just 15% of people strongly agreed that they could confidently identify a scam on their phone.

****Daily dilemma****

While 78% of people encountered a scam on their smartphone at least once a week, a shocking 44% of people encountered a scam at least _daily_. Similar to the weekly breakdown, here are the top five ways that people encountered scams once a day:

*   34% of people encountered a scam at least once a day through their **email**
*   25% encountered a scam at least once a day through **malicious websites**
*   24% encountered a scam at least once a day through **phone calls and voicemails**
*   24% encountered a scam at least once a day through **social media platforms**
*   22% encountered a scam at least once a day through **text messages (SMS)**

This list encompasses so much of any person’s daily use of their smartphone. They use it to check emails, browse the internet, make phone calls, scroll through social media, and text family and friends. And yet, it is in these exact places that people have come to expect getting scammed. As if the 44% of people who encounter a daily scam wasn’t depressing enough, there are 28% of people who said they encounter scams “multiple times a day.”

But the frequency of scams can only reveal so much. How, exactly, are scammers trying to trick their targets?

****Social engineering and extortion****

Scams are so difficult to analyze because they vary both in their delivery method and their method of deceit. A message that tries to trick a person into clicking a package tracking link is a simple act of social engineering—relying on false urgency or faked identity to fool a victim. But that message itself can come through a text message or an email, and it can direct a person to a malicious website on the internet. A romance scam, similarly, can start on a social media platform but can move into a messaging service like WhatsApp. And sometimes, a threat to release private information—which can be categorized as “extortion”—can happen through a phone call, a text message, or any combination of other communication channels.

This is why, to understand how people were being harmed by scams, Malwarebytes asked respondents about roughly 20 types of cybercrime that they could encounter and experience.

Broadly, Malwarebytes found that 74% of people had “encountered” or come across a social engineering scam, and that 36% fell victim to such scams. These were the most common social engineering scams that people encountered and that they experienced:

*   **Phishing/smishing/vishing**: 53% encountered and 19% experienced
*   **USPS/FedEx/postal scams**: 42% encountered and 12% experienced
*   **Impersonation scams**: 35% encountered and 10% experienced
*   **Marketplace or business scams**: 33% encountered and 10% experienced
*   **Romance scams**: 33% encountered and 10% experienced

For respondents who experienced any type of scam—making them scam victims—Malwarebytes also asked where they had found or encountered that scam. Here, the results show a far more intimate picture of where scams are most likely to harm the public.

For instance, 26% of charity scam victims were originally tricked on social media platforms. 37% of postal notification scam victims were first reached, predictably, through SMS/text messages. And, interestingly, despite how frequently cryptocurrency scams spread through social media, the most likely place for such a scam victim to be contacted was through email (30% for email vs. 13% for social media).

In its research, Malwarebytes also discovered that 17% of people have fallen victim to extortion scams, which includes ransomware scares, virtual kidnapping schemes, and threats to release sexually explicit photos (sextortion) or deepfake images.

Here, scam victims again shared where these scams arrived. The most popular channels for deepfake scammers to victimize people were social media platforms and emails—both at 17%. For sextortion scam victims, the most popular channel was email, at 35%. And 24% of virtual kidnapping scam victims said they were contacted through text messages, making it the most popular way to deliver such a threat.

These numbers may look depressing, but they should instead educate. No, there is no such thing as a perfectly safe communication channel today. But that doesn’t mean there isn’t help.

**Check if something is a scam**

Malwarebytes Scam Guard is a free, AI-powered digital safety companion that reviews any concerning text, email, phone number, link, image, or online message and provides on the spot guidance to help users avert and report scams. Just share a screenshot of any questionable message—like that strange email demanding a password reset or that alarming text flagging a traffic penalty—and Scam Guard will guide you to safety.

 5 riskiest places to get scammed online 

Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-2hcm-q3f4-fjgw: OSV-SCALIBR's Container Image Unpacking Vulnerable to Arbitrary File Write via Path Traversal

Scammers are abusing sponsored search results, displaying their scammy phone number on legitimate brand websites.

_The examples in this post are actual fraud attempts found by Malwarebytes Senior Director of Research, Jérôme Segura._

Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a sponsored search result on Google.

In the latest example of this type of scam, we found tech support scammers hijacking the results of people looking for 24/7 support for Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal.

Here’s how it works: Cybercriminals pay for a sponsored ad on Google pretending to be a major brand. Often, this ad leads people to a fake website. However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference.

Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead.

The browser address bar will show that of the legitimate site and so there’s no reason for suspicion. However, the information the visitor sees will be misleading, because the search results have been poisoned to display the scammer’s number prominently in what looks like an official search result.

Once the number is called, the scammers will pose as the brand with the aim of getting their victim to hand over personal data or card details, or even allow remote access to their computer. In the case of Bank of America or PayPal, the scammers want access to their victim’s financial account so they can empty it of money.

A technically more correct name for this type of attack would be a search parameter injection attack, because the scammer has crafted a malicious URL that embeds their own fake phone number into the genuine site’s legitimate search functionality.

See the below example on Netflix:

These tactics are very effective because:

*   Users see the legitimate Netflix URL in their address bar
*   The page layout looks authentic (again, because it is the real Netflix site)
*   The fake number appears in what looks like a search result, making it seem official.

This is able to happen because Netflix’s search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit.

Fortunately, Malwarebytes Browser Guard caught this and shows a warning about “Search Hijacking Detected,” and explains that unauthorized changes were made to search results with an overlaid phone number.

But Netflix is just one example. As we mentioned earlier, we found that other brands, such as PayPal, Apple, Microsoft, Facebook, Bank of America, and HP being abused in the same way by scammers.

The HP example is a bit clearer to identify as suspicious, as it says “4 Results for” which is shown in front of the scammers text. But even then if you’re on a genuine website you expect to see a genuine number, right?

Interestingly, Apple is the one where we found the scammer’s number was the hardest to identify as false.

This looks as if the web page tells the visitor they have no matches for their search, so they’d better call the number on display. That would drive them straight in the arms of scammers.

**How to stay safe from tech support scams**

As demonstrated in these cases, Malwarebytes Browser Guard is a great defense mechanism against this kind of scam, and it is free to use.

There are also some other red flags to keep an eye out for:

*   A phone number in the URL
*   Suspicious search terms like “Call Now” or “Emergency Support” in the address bar of the browser
*   Lots of encoded characters like the %20 (space) and %2B (+ sign) along with phone numbers
*   The website showing a search result before you entered one
*   The urgent language (Call Now, Account suspended, Emergency support) displayed on the website
*   An in-browser warning for known scams (don’t ignore this).

And before you call any brand’s support number, look up the official number in previous communications you’ve had with the company (such as an email, or on social media) and compare it to the one you found in the search results. If they are different, investigate until you’re sure which one is the legitimate one.

If during the call, you are asked for personal information or banking details that have nothing to do with the matter you’re calling about, hang up.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone number 

A denial of service (DoS) vulnerability has been identified in the JavaScript library microlight version 0.0.7. This library, used for syntax highlighting, does not limit the size of textual content it processes in HTML elements with the microlight class. When excessively large content (e.g., 100 million characters) is processed, the reset function in microlight.js consumes excessive memory and CPU resources, causing browser crashes or unresponsiveness. An attacker can exploit this vulnerability by tricking a user into visiting a malicious web page containing a microlight element with large content, resulting in a denial of service.

GHSA-wgc6-9f6w-h8hx: microlight allows a denial of service

A null pointer dereference vulnerability was discovered in microlight.js (version 0.0.7), a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash.

GHSA-64x7-m7rh-9m83: microlight.js has a null pointer dereference vulnerability

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

GHSA-rvqx-wpfh-mfx7: Langflow Unauth RCE

Cybersecurity researchers at Netcraft have discovered a series of new SEO poisoning related attacks exploiting Google’s search results…

Cybersecurity researchers at Netcraft have discovered a series of new SEO poisoning related attacks exploiting Google’s search results to spread malicious content and other scams. According to researchers, an “organized” network of attackers is using compromised websites to boost the visibility of malicious content in search rankings.

Behind this operation is Hacklink, a black market platform that allows scammers to inject links to phishing pages and fraudulent services into unsuspecting websites, with search engines doing the rest.

****Hijacked Sites, Invisible Links, Manipulated Results****

Instead of defacing websites or stealing data, attackers using Hacklink insert invisible code into the source of compromised sites. These links are designed to match keywords searched by users, especially in the gambling, pharmaceutical, and adult content sectors. When someone searches for a related term, the attacker’s sites show up high in the results, often outranking legitimate businesses.

The content is prepared to be hidden from everyday users but fully visible to search engine crawlers. By doing this, the attacker piggybacks on the reputation of the compromised site, especially those ending in .gov, .edu, or popular country code domains. This tactic tricks search algorithms into treating scam sites as credible, giving them an increase in visibility.

****Hacklink: SEO Fraud as a Service****

Hacklink is an online shop for scammers. Attackers can browse a list of already-compromised domains, select keywords and target URLs, and pay to have their content injected.

According to Netcraft’s report shared with Hackread.com ahead of publishing on Tuesday, prices vary, but listings often start around $1, with premium domains costing more. All of this is done through a web-based control panel, making large-scale manipulation of search rankings accessible to anyone with money and malicious intentions.

In many cases, the website owner remains unaware. Their site looks and functions normally, even as it silently boosts fraudulent sites selling fake products, redirecting to phishing pages, or spreading malware.

Hacklink Market’s website (Screenshot: Hackread.com)

****Targeting Online Gambling in Turkey****

Netcraft’s report also notes an increase in attacks targeting the online gambling sector in Turkey. Groups like “Neon SEO Academy” and “SEOLink” are offering services to manipulate search rankings for gambling-related keywords. These operators claim access to over 15,000 compromised websites and actively market their offerings through platforms like Telegram and WhatsApp.

These groups offer much more than link injection. Some provide access to admin panels of vulnerable sites, allowing more extensive and long-term control. Others use private blog networks to further boost the legitimacy of malicious links, an approach that mixes pushy SEO tactics with questionable ethics.

****Real-Time Ranking Manipulation****

Researchers also noted that attackers are able to dynamically change the text that appears in search results by adjusting anchor text across their link network. This means they can remotely influence how a compromised site appears in Google’s results, even without full control of that site.

In more advanced setups, this method can even take search users to phishing pages or cloned versions of real websites. Users who think they’re visiting a trusted service may be entering passwords or payment information into a trap.

Screenshot shows the compromised website of the LifeBridge Christian Church – Colorado, United States

While online gambling is the most visible victim today, this method could be applied to almost any industry that relies on search engine visibility, including banking, healthcare, crypto trading, and charitable fundraising. The tactic targets both user trust and brand integrity, making it difficult for victims to even detect the problem.

****What To Do?****

Organizations should security admin panels, apply patches, and monitor file changes regularly. But awareness is just as important. SEO poisoning isn’t just a search engine problem, it’s a growing part of the cybercrime economy.

Site owners should review how their domains appear in search results, audit for unauthorized outbound links, and monitor their domain’s reputation. If suspicious links are detected, use disavow tools and report abuse to search engines promptly.

For users, verify URLs carefully, especially when dealing with financial transactions or personal information. And when in doubt, go directly to a known domain rather than trusting search engine links alone.

And most importantly, follow Hackread.com for more cybersecurity-related news and security tips!

Hacklink Market Linked to SEO Poisoning Attacks in Google Results

Consider this: Berkshire Hathaway, Warren Buffett’s $700 billion conglomerate, operates one of the most influential investor websites on…

Consider this: Berkshire Hathaway, Warren Buffett’s $700 billion conglomerate, operates one of the most influential investor websites on the planet, utilizing HTML that predates YouTube, employing table-based layouts and single-color backgrounds that Buffett personally insists on keeping “simple.”

Craigslist processes over 2 billion page views monthly through an interface that hasn’t changed since 2000, deliberately rejecting modern design because founder Craig Newmark believes complexity reduces functionality. Meanwhile, IRS.gov receives 1.4 billion visits annually during tax season through a navigation system so convoluted that TurboTax built a $3 billion business simply by making tax filing less painful.

Healthcare.gov’s initial launch disaster in 2013, where a $400 million website could handle only six users simultaneously, still echoes in government procurement today. The UK’s Gov.uk, conversely, became a global model by ruthlessly prioritizing user needs over departmental politics, saving an estimated £4.1 billion annually through better digital design.

These contrasts reveal a fundamental truth: interface design isn’t cosmetic, it’s economic infrastructure that can make or break trillion-dollar markets.

The Rapid Rebuild Hackathon 2025, organized by Hackathon Raptors, challenged developers to tackle exactly these kinds of functional but frustrating digital experiences. Over 72 hours, twelve teams transformed everything from Berkshire Hathaway’s deliberately minimalist investor portal to revolutionary reimaginings of system-level BIOS interfaces, proving that sometimes the most impactful innovation comes not from building something new, but from fixing what already works, just barely.

****The Art of Digital Resurrection****

“The most impactful solutions don’t always come from building something entirely new,” explains the hackathon’s core philosophy. “Sometimes breakthrough innovation emerges from reimagining what already exists, using modern tools to transform crucial but neglected digital spaces.”

This approach proved prescient when examining the winning submissions. BIOSage, the grand prize winner, didn’t just modernize a website, it completely reimagined how users interact with system-level interfaces. The project integrated a locally hosted LLaMA 3.2 language model to provide offline diagnostics, transforming the traditionally static BIOS experience into an intelligent, multilingual system assistant.

“What sets BIOSage apart is its recognition that even the most fundamental computing interfaces can benefit from modern AI integration,” notes Anand Singh, Technical Lead at Meta and hackathon judge.

Singh’s extensive background in embedded systems and wireless communications, including work on OpenRAN and high-altitude platform systems, provided a unique perspective on the technical challenges of bringing AI to firmware-level interfaces.

Singh’s experience with low-power IoT networks and embedded optimization proved particularly relevant when evaluating BIOSage’s achievement in running complex language models locally without compromising system performance.

“The ability to provide intelligent diagnostics without internet connectivity addresses a critical gap in system administration,” he observed. “This isn’t just a UI improvement, it’s a fundamental advancement in how we approach system-level troubleshooting.”

****Quality Assurance in Rapid Development****

The compressed 72-hour timeline presented unique challenges for maintaining code quality while pushing innovation boundaries. This tension between speed and reliability became a crucial evaluation criterion, drawing heavily on the expertise of Yulia Drogunova, Senior QA Engineer at Raiffeisen Bank.

With over eight years of experience building effective testing processes for major financial institutions, including Raiffeisen Bank and VTB Bank, and her work with international companies such as Luxoft and Lineate, Drogunova brought a critical perspective to evaluating how teams managed quality under extreme time pressure.

“The most impressive projects weren’t just those with flashy features,” Drogunova explained during the evaluation process. “They were the ones that implemented proper testing methodologies even within hackathon constraints.”

Her experience implementing automated tests into CI/CD processes, which has increased development speed and reduced defects in production banking applications, informed her assessment of how teams structured their rapid development cycles.

Drogunova particularly highlighted the Smart Builders team’s approach to their Hacker News reimagining. “They demonstrated an understanding that accessibility testing isn’t an afterthought, it’s integral to the development process,” she noted, referencing their implementation of voice reader capabilities and keyboard navigation. This aligned with her experience in ensuring mobile banking applications meet accessibility standards across diverse user needs.

The winning projects consistently showed evidence of systematic testing approaches. Refreshify, the second-place winner, implemented comprehensive error handling for its AI-powered website transformation engine.

“Sanjay Sah’s team understood that when you’re processing arbitrary URLs and generating real-time previews, robust error handling isn’t optional,” Drogunova observed. Her background in both manual and automated testing for web-based applications informed her appreciation for the defensive programming techniques employed.

****Frontend Architecture Under Pressure****

The hackathon’s focus on user experience transformation highlighted the critical role of frontend architecture in delivering compelling user interfaces rapidly. Vladislav Krushenitskii, a senior front-end developer with over a decade of experience spanning complex management systems and international client projects, evaluated how teams leveraged modern frameworks to achieve maximum impact in the shortest time possible.

Krushenitskii’s background with the Russian Hack Team, a network of 30 elite developers known for exceptional hackathon performance, provided valuable context for assessing rapid development strategies. His experience implementing micro-frontend architectures at EPAM Systems and reducing page load times by 30% through optimized React and Redux implementations informed his evaluation criteria.

“The most successful teams understood that hackathon development isn’t about shortcuts, it’s about intelligent architectural decisions,” Krushenitskii explained. His assessment focused particularly on how teams balanced feature richness with maintainable code structure.

The Delbyte team’s BetterShire Hathaway project caught his attention for its thoughtful component architecture. “They implemented a modular design system that could scale beyond the hackathon scope,” he noted, drawing parallels to his work developing sophisticated management systems with complex components like dynamic trees and filters. “The subsidiary showcase section demonstrated an advanced understanding of data presentation patterns that I’ve seen take weeks to perfect in commercial projects.”

Krushenitskii’s experience with React Native and cross-platform development proved relevant when evaluating mobile-first approaches. Several teams, including the WhaleMatch redesign, implemented responsive design patterns that he recognized from his work on cinema and startup interfaces for clients in the USA and Norway.

“The teams that truly understood modern web development didn’t just make things look better, they fundamentally improved how information flows through the interface,” he observed.

****The Innovation Spectrum: From Extensions to Complete Rebuilds****

The diversity of technical approaches reflected different philosophies about innovation and user experience improvement. Projects ranged from browser extensions enhancing existing platforms to complete ground-up rebuilds, each presenting unique technical challenges and user experience opportunities.

The ReStyle Chrome extension demonstrated how targeted interventions could transform user experiences without requiring comprehensive platform rebuilds. BuildWithKT.dev’s approach to enhancing Stack Overflow’s interface through real-time theme customization showed a sophisticated understanding of browser extension architecture while addressing genuine usability concerns.

At the opposite end of the spectrum, Level One’s Battle City Remastered represented a complete reconstruction of a classic gaming experience using pure Python and Pygame. The technical achievement of recreating complex game mechanics in just 72 hours showcased the team’s deep understanding of game development principles and efficient coding practices.

****Lessons in Scalable Innovation****

The hackathon results revealed consistent patterns among successful projects that extend beyond hackathon contexts into broader software development practices. Teams that achieved top rankings demonstrated several key characteristics that align with industry best practices for rapid innovation.

**Constraint-Driven Creativity**: The most innovative solutions emerged from teams that embraced technical limitations as creative catalysts rather than obstacles. BIOSage’s offline AI diagnostics capability, for instance, turned the constraint of no internet connectivity into a competitive advantage for system administration scenarios.

**User-Centered Problem Solving**: Winning teams consistently prioritized genuine user pain points over technical showcasing. The multiple Hacker News reimaginings each addressed specific usability issues, such as navigation complexity, information density, and accessibility barriers, rather than simply applying modern styling to existing interfaces.

**Architectural Thinking**: Even within hackathon timelines, successful teams implemented architectural patterns that could support future development. This forward-thinking approach distinguished projects with genuine commercial potential from purely demonstrative implementations.

****The Future of Digital Modernization****

The Rapid Rebuild concept addresses a pressing industry need as organizations struggle with legacy systems that serve critical functions, despite their outdated interfaces. The hackathon’s results suggest several emerging trends in how developers approach modernization challenges.

AI integration emerged as a transformative factor, with multiple projects incorporating intelligent features to enhance user experiences. Beyond BIOSage’s diagnostic capabilities, projects like HackerNews-Revamped integrated AI chatbots could discuss articles from the content’s perspective, demonstrating how artificial intelligence can add contextual value to information consumption.

Accessibility considerations became central rather than peripheral to design decisions. Teams consistently implemented features like voice navigation, customizable themes, and keyboard shortcuts as core functionality rather than afterthoughts. This shift reflects growing industry recognition that inclusive design benefits all users while expanding market reach.

The hybrid approach of extension-based enhancements alongside complete rebuilds suggests a pragmatic evolution in how organizations might approach legacy system modernization. Rather than requiring wholesale replacement, targeted improvements through browser extensions or API layers can provide immediate benefits to the user experience while maintaining the underlying system’s stability.

****Implications for Industry Practice****

The 72-hour timeframe compressed typical development cycles while maintaining quality standards, offering insights into rapid innovation methodologies. The most successful teams implemented practices that mirror emerging industry trends toward accelerated development cycles and continuous improvement.

Cross-disciplinary collaboration proved essential, with winning teams effectively combining frontend development, backend architecture, user experience design, and domain expertise. This integration reflects the industry movement toward full-stack competency and collaborative development practices.

The emphasis on immediate usability over feature completeness aligns with lean development principles and minimum viable product approaches. Teams that focused on solving specific user problems comprehensively outperformed those attempting to recreate entire feature sets superficially.

****Looking Forward****

The Rapid Rebuild Hackathon 2025 demonstrated that innovation often emerges not from creating entirely new solutions but from applying fresh perspectives and modern tools to existing challenges. As the digital landscape continues evolving, the ability to thoughtfully modernize legacy systems while preserving their essential value becomes increasingly critical.

The projects showcased techniques and approaches that extend far beyond hackathon contexts, offering roadmaps for organizations seeking to modernize user experiences without abandoning functional infrastructure. From AI-enhanced system interfaces to accessibility-first redesigns, the innovations demonstrated paths forward for digital transformation that prioritize user needs while respecting technical constraints.

The success of diverse approaches, from targeted browser extensions to complete system rebuilds, suggests that digital modernization isn’t a one-size-fits-all challenge. Instead, it requires careful assessment of user needs, technical constraints, and organizational capabilities to determine the most effective intervention strategy.

Most importantly, the hackathon reinforced that exceptional user experiences don’t require revolutionary technology, they require thoughtful application of existing tools, a deep understanding of user needs, and the courage to reimagine how digital interfaces can better serve their intended purposes. In an era of rapid technological change, the ability to bridge legacy functionality with modern expectations may prove more valuable than any individual technical skill.

Rapid Rebuild Hackathon 2025: When Legacy Meets Innovation

Though its operations are running smoothly, the airline warned customers and employees to exercise caution when sharing personal information online.

Tag

#web