From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
Essential information
- Published
- 01/04/2025 14:59
- Modified
- 01/04/2025 15:31
- Tags
- 2025-04-01 backdoor cefi clickfix cryptocurrency frostyferret golangghost job interviews north korea
- Related entities
- 86 observables, 1 intrusion sets (apt), 14 techniques (mitre), 2 malware, 2 others
Description
Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting cryptocurrency job seekers. This campaign, an evolution of the previously documented Contagious Interview, uses fake job interview websites to deploy the GolangGhost backdoor on Windows and macOS systems. The infection chain leverages the ClickFix tactic, downloading and executing malicious payloads during the interview process. The campaign primarily targets centralized finance (CeFi) entities, aligning with Lazarus' focus on cryptocurrency-related targets. Notable changes include targeting non-technical roles and using ReactJS-based websites for the fake interviews. The malware provides remote control and data theft capabilities, including browser information exfiltration.