PylangGhost
Description
(Talos) As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute.
The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run.
Names
| Name |
|---|
| PylangGhost |
Category
Malware
Type
- Backdoor
Information
Other Information
Uuid
8caf0b4c-251a-44e2-a426-8975f2af0817
Last Card Change
2025-06-28