Lazarus Hackers deceive users into thinking their camera or microphone is disabled in order to deploy the PyLangGhost RAT.

Cybersecurity researchers have recently identified a new social engineering campaign linked to North Korea’s Lazarus Group, which exploits fake camera and microphone errors to manipulate targets into executing malicious scripts. Victims, mainly from the finance and technology sectors, report receiving invitations for remote job interviews or technical assessments that suddenly freeze, displaying messages indicating that their system’s camera or microphone is blocked. Under the pretext of troubleshooting this “error,” unsuspecting users are coerced into running a seemingly harmless command that actually downloads and deploys a sophisticated Python-based remote access trojan known as PyLangGhost RAT. This campaign, referred to as “ClickFix” by the attackers, employs real-time, interactive deception rather than traditional malware delivery methods like phishing emails or drive-by downloads.

The campaign creates a sense of urgency and confusion by manipulating the victim’s browser to show continuous notifications of a “Race Condition in Windows Camera Discovery Cache” or similar issues. Analysts from Any.Run have observed that targets are instructed to paste a multi-part shell command into their terminal or Run dialog to supposedly resolve the hardware error. In reality, this command discreetly downloads a ZIP archive containing a renamed Python interpreter and uses VBScript to initiate the core RAT loader. PyLangGhost RAT represents an evolution of Lazarus’s toolset, combining legacy tactics with modern scripting languages. Security teams have traced its development to the Famous Chollima subgroup, which previously utilised GoLangGhost RAT. The Python reimplementation offers similar modularity while benefiting from Python’s extensive standard library and ease of obfuscation. Initial VirusTotal detections for the loader binary were as low as three out of sixty antivirus engines, highlighting the malware’s stealth capabilities. Once executed, the loader spawns a background process, establishes persistence via the Windows registry under the key SoftwareMicrosoftWindowsCurrentVersionRuncsshost, and begins polling its command-and-control (C2) server at raw IP 151.243.101.229 over HTTP.

Microsoft has introduced Project Ire, an initiative designed to automatically identify malware using artificial intelligence technologies.

SonicWall has issued a warning about a rise in cyberattacks aimed at their Generation 7 firewalls over the past 72 hours.

The ScarCruft hacker group has initiated a new malware campaign that utilizes Rust programming language and the PubNub service.

HeartCrypt’s EDR Killer Tools called ‘AVKiller’ are currently being utilized in ransomware attacks.

UAC-0099 Hackers Exploiting HTA Files to Distribute MATCHBOIL Loader Malware

Similar Posts