The Lazarus Group, a state-sponsored hacking organization from North Korea, has initiated a sophisticated cyberattack campaign known as ClickFake Interview, specifically targeting individuals in the cryptocurrency industry. This operation employs counterfeit job interview websites to deploy a Go-based backdoor, termed GolangGhost, on both Windows and macOS systems. This campaign signifies an evolution from the previously documented Contagious Interview campaign, highlighting Lazarus’ adaptability and persistent focus on exploiting the cryptocurrency ecosystem.
Background on Lazarus Group
Active since at least 2009, the Lazarus Group has been involved in various cyber espionage and financial operations aimed at supporting North Korea’s missile and nuclear programs. Since 2017, the group has increasingly targeted cryptocurrency entities, utilizing malware, supply chain attacks, trojanized applications, and deceptive job offers to infiltrate systems. In March 2025, Lazarus executed the largest cryptocurrency heist to date, stealing $1.5 billion from Bybit, a UAE-based exchange, underscoring their growing sophistication and threat level.
Details of the ClickFake Interview Campaign
Building upon tactics from the Contagious Interview campaign, which targeted software developers through fake job interviews on platforms like LinkedIn and X (formerly Twitter), the ClickFake Interview campaign introduces more elaborate methods. Attackers lure victims to counterfeit interview websites crafted using ReactJS, featuring dynamic content loaded from JavaScript files to simulate legitimate recruitment processes.
During these fake interviews, victims are prompted to fill out forms, answer cryptocurrency-related questions, and enable their cameras. At a critical juncture, an error message appears, instructing them to download drivers or scripts, thereby initiating the infection chain.
Infection Chain Mechanism
The infection process varies based on the operating system:
– Windows Systems: A Visual Basic Script (VBS) downloads a NodeJS-based payload named nvidia.js, which extracts malicious components into temporary directories. Persistence is established through registry keys, and a batch file silently launches the GolangGhost backdoor.
– macOS Systems: A Bash script called coremedia.sh downloads and extracts malicious files while creating a launch agent plist file for persistence. Before deploying GolangGhost, a stealer named FrostyFerret retrieves system passwords by mimicking Chrome’s user interface.
The GolangGhost implant enables remote control and data theft across both platforms. It can execute shell commands, upload and download files, steal browser data via HackBrowserData, and exfiltrate sensitive information such as system credentials. Communication with command-and-control (C2) servers is encrypted using RC4 encryption. The malware ensures only one instance runs at a time by storing unique identifiers in temporary files.
Shift in Targeting Strategy
Analysis of the fake interview websites reveals that Lazarus is now primarily targeting centralized finance (CeFi) entities such as Coinbase, Kraken, Bybit, and Robinhood. This marks a strategic shift from earlier campaigns that focused on decentralized finance (DeFi) platforms. The move aligns with North Korean threat actors’ growing interest in CeFi platforms, which rely on intermediaries for transactions, potentially offering more lucrative opportunities for exploitation.
Additionally, the job roles advertised in these fake interviews are aimed at non-technical profiles, such as managers in business development or asset management. These individuals are less likely to detect malicious activity during interviews, making them more susceptible to the attack.
Detection and Mitigation Strategies
The infection chain relies heavily on the sequential execution of commands within short time frames. Detection opportunities include monitoring unusual script execution patterns via tools like Sigma correlation rules. Organizations should implement robust security measures, including:
– Employee Training: Educate staff about the risks of unsolicited job offers and the importance of verifying the authenticity of recruitment processes.
– Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions to identify and mitigate suspicious activities.
– Regular Updates: Ensure all systems are up-to-date with the latest security patches to protect against known vulnerabilities.
– Network Monitoring: Implement continuous network monitoring to detect and respond to unusual traffic patterns indicative of data exfiltration or communication with C2 servers.
Conclusion
The Lazarus Group’s ClickFake Interview campaign underscores the evolving nature of cyber threats targeting the cryptocurrency sector. By leveraging sophisticated social engineering tactics and cross-platform malware, Lazarus continues to pose a significant risk to individuals and organizations within this industry. Vigilance, comprehensive security protocols, and ongoing education are essential to mitigate the risks associated with such advanced persistent threats.
