FOCUS MODE
EXTRACT IOC
Threat Research

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic

SekoiaIO
From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
In March 2025, the Bybit crypto exchange was targeted by the Lazarus group, causing the theft of .5 billion, marking one of the largest crypto heists ever. This incident is part of a larger trend of DPRK-affiliated cyberattacks on cryptocurrency platforms to fund its military programs. The campaign, termed ClickFake Interview, involved deceptive job offers to lure users into executing malware on their systems. Key malware components include GolangGhost and FrostyFerret, targeting centralized finance entities. Affected: Bybit, cryptocurrency exchanges, centralized finance sector

Keypoints :

  • The Lazarus group executed a .5 billion theft from Bybit.
  • This incident is part of a pattern of North Korean cyber operations to finance military projects.
  • ClickFake Interview campaign targets job seekers with fake job offers.
  • Infection chains differ between Windows and macOS platforms.
  • Utilizes malware such as GolangGhost and FrostyFerret for data theft.
  • The campaign shows a shift in target focus from decentralized finance to centralized finance entities.
  • Fake job offers are designed to attract non-technical profiles.
  • Persistent malware adapts tactics to remain undetected.

MITRE Techniques :

  • T1060 – Command and Scripting Interpreter: Execution via VBS on Windows and Bash on macOS for malware installation.
  • T1071 – Application Layer Protocol: Utilization of HTTP for communication with the command and control (C2) server.
  • T1105 – Remote File Copy: Downloading malicious scripts and payloads from external servers.
  • T1027 – Obfuscated Files or Information: Use of minimized JavaScript files to deliver malicious content.
  • T1016 – System Network Configuration Discovery: Use of network resources to locate targets effectively.

Indicator of Compromise :

  • [Domain] vid-crypto-assess[.]com
  • [Domain] assessiohq[.]com
  • [IP Address] 38.134.148[.]218
  • [Hash] 0cbbf7b2b15b561d47e927c37f6e9339fe418badf49fa5f6fc5c49f0dc981100 (GolangGhost for Windows)
  • [Hash] 3fec701b5e8486081c7062590f4ff947fcf51246cb067f951e90eb43dad930b4 (mediadriver.sh for macOS)

Full Story: https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/

Tags: INITIAL ACCESS, PASSWORD, PAYLOAD, CLOUD, SOCIAL MEDIA, PERSISTENCE, RECONNAISSANCE, CRYPTO