ClickFake
Lazarus
Lazarus group intensifies its attacks with the ClickFake Interview campaign, tar...
The Lazarus Group, a state-sponsored threat actor linked to North Korea’s Reconnaissance General Bureau (RGB), has long targeted the cryptocurrency industry to fund its regime. Recent findings from Sekoia's Threat Detection and Response (TDR) investigations have revealed a new campaign, "ClickFake Interview," which uses fake job interview websites to deploy sophisticated malware, namely **GolangGhost** and **FrostyFerret**. This article unpacks the entire campaign, its technical methodologies, and how it marks a significant evolution in Lazarus' tactics.
### **A Persistent Threat to Cryptocurrencies**
#### **Who is Lazarus?**
Lazarus is one of the most notorious cyber threat groups globally, attributed to North Korea’s intelligence apparatus. The group has been active since at least 2009, specializing in espionage, financial theft, and cyber warfare, focusing on the cryptocurrency ecosystem since 2017. Lazarus uses cybercrime to bypass international sanctions, supporting North Korea's missile and nuclear programs.
#### **Lazarus and Cryptocurrency**
Lazarus' shift toward cryptocurrency theft has been well-documented. In 2024 alone, the group was responsible for over $1.3 billion in stolen funds from cryptocurrency platforms, marking a drastic increase in its targeting of centralized financial platforms (CeFi) over decentralized finance (DeFi). This trend signifies Lazarus’ evolving tactics and expanding focus.
### **ClickFake Interview**
#### **Emergence of ClickFake Interview**
In 2025, Sekoia’s TDR team identified **ClickFake Interview**, a sophisticated campaign by Lazarus that targets job seekers in the cryptocurrency industry. Lazarus deploys malware that facilitates remote access and data exfiltration by exploiting fake job interview websites.
##### **Comparison with Previous Campaigns**
Before ClickFake Interview, Lazarus operated under campaigns like **Contagious Interview** and **Operation Dream Job**, targeting software developers and engineers through fake job offers. While these campaigns used similar social engineering tactics, ClickFake Interview leverages a more refined attack method, with distinct technical differences.
### **How the ClickFake Interview Campaign Works**
#### **Fake Job Interview Websites**
The ClickFake Interview campaign begins with the targeting of individuals via social media, where they are invited to participate in a job interview through a fake website. These websites mimic legitimate job platforms and use **ReactJS** to dynamically load interview content, creating the illusion of a professional recruitment process.
#### **Steps in the Attack Process**
1. **Job Application Process**:
- The victim fills out a contact form and answers cryptocurrency-related questions.
- The victim is prompted to record an introductory video using their webcam.
2. **Camera Access Exploit: The ClickFix Tactic**
- When the victim attempts to use their camera, an error message directs them to download specific drivers to resolve the issue.
- The **ClickFix tactic** is employed here, where the victim is tricked into running malicious scripts under the guise of a camera driver update.
##### **The Infection Chains for Different Operating Systems**
- **Windows**: A VBS script downloads and executes a **NodeJS**-based GolangGhost backdoor.
- **macOS**: A Bash script downloads and extracts malicious components, including **FrostyFerret**, which steals system passwords before deploying **GolangGhost**.
### **GolangGhost Backdoor: A Multi-Platform Threat**
#### **What is GolangGhost?**
**GolangGhost** is an interpreted Go-based backdoor used by Lazarus for remote control and data theft. It can exfiltrate browsing data, including credentials and cryptocurrency wallets. GolangGhost supports a variety of commands, such as uploading and downloading files, executing shell commands, and gathering Chrome browser data.
#### **How GolangGhost Works**
- **Windows Infection**: GolangGhost is installed via a batch file that launches a decoy progress bar before executing the final backdoor payload. The malware communicates with a command-and-control (C2) server to receive further instructions.
- **macOS Infection**: On macOS, the malware is delivered through a shell script that downloads a ZIP archive and runs **GolangGhost** alongside **FrostyFerret**, which helps steal the system password and browse information.
### **A Key Component in the Infection Chain**
#### **What is FrostyFerret?**
**FrostyFerret** is a credential stealer that targets macOS systems. When executed, it presents a fake UI prompting the victim for their system password. Regardless of whether the password is entered correctly, the malware exfiltrates the password to an external Dropbox location.
#### **Behavior of FrostyFerret**
- **Password Exfiltration**: Once the victim enters their password, FrostyFerret sends it to a remote server.
- **Accessing Keychain Data**: This malware might also be used to access the user’s keychain for further credential harvesting.
### **Targets of ClickFake Interview: Centralized Finance (CeFi)**
#### **Why CeFi is Targeted**
Lazarus has shifted its focus from DeFi to **centralized finance (CeFi)** platforms, which act as intermediaries for cryptocurrency transactions. CeFi platforms like **Coinbase**, **Kraken**, **Bybit**, and **BlockFi** are prime targets due to their central control over user funds and transactions.
#### **Profile of Victims**
Unlike previous campaigns targeting software developers and engineers, the ClickFake Interview campaign has expanded its scope to include **non-technical profiles**, such as business development managers, asset managers, and decentralized finance specialists. This shift in targeting indicates a new strategy aimed at less technically savvy individuals, who are less likely to detect the malicious commands.
### **Detection and Hunting Opportunities**
#### **ClickFix and Its Detection Challenges**
The **ClickFix** tactic has evolved, making detection more difficult. However, security professionals can track suspicious activity by correlating behaviors such as **curl.exe**, **PowerShell**, and **wscript.exe** actions in quick succession. Custom detection rules can be created using tools like **Sigma** to identify these activities within a short time frame.
##### **Detection Using Sigma**
Detection rules can correlate actions involving:
- **curl.exe** used for downloading files
- **PowerShell** for extracting archives
- **wscript.exe** for executing scripts
#### **Advanced Detection Using SOL**
Another advanced method for detecting ClickFake activities involves using **Sekoia’s Operating Language (SOL)**, which allows security analysts to hunt for specific indicators like **curl** commands and **wscript** execution within a set time frame.
### **Indicators of Compromise (IoCs)**
#### **Network Indicators**
- Malicious domains such as **vid-crypto-assess[.]com** and **blockassess[.]com**
- Staging C2 servers like **api.camdriverhub[.]cloud**
#### **File Hashes and Malware Indicators**
- **GolangGhost** and **FrostyFerret** file hashes
- Windows and macOS malware hashes indicating the presence of backdoors and credential stealers
#### **YARA Rules for Detection**
Sekoia provides a series of **YARA rules** to detect malicious files and scripts associated with the ClickFake Interview campaign. These rules help security teams identify GolangGhost backdoors and other malicious components in the malware chain.
