216.73.217.24

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic

· Published 01/04/2025 14:59 · Modified 01/04/2025 15:31

Export JSON

Essential information

Published
01/04/2025 14:59
Modified
01/04/2025 15:31
Tags
2025-04-01 backdoor cefi clickfix cryptocurrency frostyferret golangghost job interviews north korea
Related entities
86 observables, 1 intrusion sets (apt), 14 techniques (mitre), 2 malware, 2 others

Description

Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting job seekers. This campaign, an evolution of the previously documented Contagious Interview, uses fake job interview websites to deploy the on Windows and macOS systems. The infection chain leverages the tactic, downloading and executing malicious payloads during the interview process. The campaign primarily targets centralized finance () entities, aligning with Lazarus' focus on -related targets. Notable changes include targeting non-technical roles and using ReactJS-based websites for the fake interviews. The malware provides remote control and data theft capabilities, including browser information exfiltration.

External references