How to remove PylangGhost RAT (Remote Access Trojan)

What kind of malware is PylangGhost?

PylangGhost is a Remote Access Trojan (RAT) written in the Python programming language. This program enables remote access and control over infected devices. The trojan can cause chain infections and steal sensitive information.

PylangGhost is used exclusively by Famous Chollima (also known as Wagemole) – a threat actor (possibly a conglomerate of cyber crime groups) aligned with North Korea. This RAT has been spread through ClickFix scams utilizing job offer lures targeting employees with expertise in cryptocurrencies and blockchain technology. These campaigns have been successfully carried out in India yet are likely worldwide.

PylangGhost malware overview

PylangGhost is designed to allow remote access/control over compromised machines – hence, it is classed as a RAT (Remote Access Trojan). This malware is similar to GolangGhost, a RAT written in Go (Golang) that is spread by the Famous Chollima threat actor through ClickFix scams as well.

It is currently unknown which malware came first. The PylangGhost's configuration module file contains a string noting that it is version 1.0, while an analogous string in GolangGhost indicates it to be the 2.0 version. Also, comments in PylangGhost's code suggest that it might have been rewritten by relying on an LLM (Large Language Model).

The mechanism for a ClickFix scam works by deceiving users into executing a malicious script on their devices. Firstly, the victim's Operating System (OS) needs to be determined. Previous scams targeted Windows, Mac, and Linux OSes; however, the latest campaign did not spread any Linux-compatible malware.

PylangGhost infections were triggered by a PowerShell command that downloads a ZIP archive containing the RAT's modules and a VBScript file. The latter extracts the Python library and executes PylangGhost.

The trojan comprises six modules. This malicious program can ensure persistence by auto-starting upon each system reboot. It can execute various commands received for its C&C (Command and Control) server. PylangGhost gathers relevant device data, such as OS details (version, architecture, etc.), device name, account username, and so forth.

This program can also download and upload files. The latter means that it could cause chain infections (e.g., download/install trojans, ransomware, cryptocurrency miners, etc.). It must be mentioned that malware capable of infiltrating additional malicious content tends to operate within certain specifications or limitations.

PylangGhost can acquire data associated with browsers, such as browsing histories, Internet cookies, auto-fills (e.g., personally identifiable details, usernames, etc.), passwords, credit/debit card numbers, and so on. The RAT can extract data from more than eighty browser extensions, such as those related to cryptocurrency and password management. Known extensions include MetaMask, TronLink, Phantom, Initia, Bitski, MultiversX, 1Password, and NordPass.

It is worth mentioning that malware developers often improve upon their software, tools, and methodologies. Therefore, potential future iterations of PylangGhost could have additional or different functionalities/features.

In summary, the presence of software like PylangGhost on devices can lead to multiple system infections, serious privacy issues, financial losses, and identity theft.

Remote access trojan examples

Sakura, Chaos, NodeSnake, PureHVNC, and ResolverRAT are just some of our latest articles on RATs. Typically, these trojans are highly versatile and capable of causing chain infections. Hence, RATs can be used in different ways, which can lead to various issues.

It must be emphasized that regardless of how malware functions – its presence endangers device integrity and user safety. Therefore, all threats must be removed immediately upon detection.

How did PylangGhost infiltrate my computer?

PylangGhost has been proliferated via ClickFix scams (more information on which is available in our dedicated article). These campaigns utilized lures centered on job offers and interviews.

As of the time of writing, the latest campaign used competently crafted fraudulent companies with management and employee profiles (typically on platforms like LinkedIn). These accounts were used to message victims with experience in cryptocurrency and blockchain-related fields, including software engineers, designers, marketing specialists, etc.

The potential job opportunities (often employing the names of legitimate companies like Coinbase, Uniswap, etc.) lure victims into visiting a deceptive website hosting a relevant questionnaire and experience testing survey.

The final step is a video interview, yet a supposed error with microphone/camera access occurs, and victims are instructed to execute a command on their devices to fix it. Linux users were presented with another error, as the campaign did not proliferate a compatible malware. Executing the PowerShell command initiates PylangGhost's infection chain.

It is noteworthy that this RAT may be spread using different techniques. Phishing and social engineering tactics are standard in malware distribution. Malicious programs are usually disguised as or bundled with regular software/media files. They can be archives, executables, documents, JavaScript, etc.

Malware is primarily proliferated through online scams, malicious attachments or links in spam emails/messages, drive-by downloads, malvertising, suspicious download channels (e.g., unofficial and free file-hosting sites, P2P sharing networks, etc.), illegal software activation tools ("cracks"), and fake updates.

What is more, some malicious programs can self-spread via local networks and removable storage devices (e.g., external hard drives, USB flash drives, etc.).

How to avoid installation of malware?

Caution is essential to device and user safety. Therefore, be vigilant when browsing since the Internet is full of deceptive and malicious content. Treat incoming communications with care; do not open attachments or links found in suspect/irrelevant emails or other messages.

Additionally, download only from official and verified sources. Activate and update programs using functions/tools provided by legitimate companies, as those obtained from third-parties can contain malware.

It is crucial to have a reputable antivirus installed and kept updated. Security software must be used to run regular system scans and to remove threats/issues. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Screenshots of a ClickFix scam proliferating PylangGhost (image source – Cisco Talos Blog):

Initial page:

Second page:

Third page:

Fourth page:

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is PylangGhost?
• STEP 1. Manual removal of PylangGhost malware.
• STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with PylangGhost malware, should I format my storage device to get rid of it?

Most likely, no. Malware removal seldom requires such drastic measures.

What are the biggest issues that PylangGhost malware can cause?

Capabilities of the malicious program and the attackers' goals influence the threats posed by the infection. PylangGhost allows the attackers to control devices remotely; it can cause chain infections and steal data. The dangers posed by PylangGhost include multiple system infections, severe privacy issues, financial losses, and identity theft.

What is the purpose of PylangGhost malware?

Malware is primarily used to generate revenue. However, cyber criminals can also use malicious software to amuse themselves, realize personal grudges, disrupt processes (e.g., sites, services, companies, etc.), engage in hacktivism, and launch politically/geopolitically motivated attacks.

How did PylangGhost malware infiltrate my computer?

PylangGhost has been proliferated through job offer themed ClickFix scams. Other disguises and techniques are not unlikely. Generally, malware is commonly spread via online scams, drive-by downloads, spam mail, malvertising, suspicious download sources (e.g., freeware and third-party websites, Peer-to-Peer sharing networks, etc.), illegal software activation tools ("cracks"), and fake updates. What is more, some malicious programs can self-proliferate through local networks and removable storage devices.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner is capable of detecting and removing practically all known malware infections. Keep in mind that performing a full system scan is essential since high-end malicious software usually hides deep within systems.