ClickFake Interview - Lazarus Hackers Exploit Windows & macOS Users Fake Job Campaign

The ClickFake Interview campaign builds upon the tactics of Contagious Interview, which targeted software developers via fake job interviews conducted on platforms like LinkedIn or X (formerly Twitter). The Lazarus Group, a North Korean state-sponsored hacking collective, has launched a new campaign dubbed ClickFake Interview, targeting job seekers in the cryptocurrency industry. Analysis of fake interview websites revealed that Lazarus primarily targets centralized finance (CeFi) entities like Coinbase, Kraken, Bybit, and Robinhood. The campaign represents an evolution of the previously documented Contagious Interview campaign, showcasing Lazarus’ adaptability and persistent focus on exploiting the cryptocurrency ecosystem. Since 2017, the group has increasingly targeted cryptocurrency entities, leveraging malware, supply chain attacks, trojanized applications, and fake job offers. The ClickFake Interview campaign underscores Lazarus’ adaptability and sophistication in targeting cryptocurrency entities. By leveraging fake job offers and evolving tactics like ClickFix, the group continues to pose significant threats to centralized finance platforms globally. This malicious operation uses fake job interview websites to deploy a Go-based backdoor, known as GolangGhost, on both Windows and macOS systems. In this new campaign, attackers lure victims to fake interview websites crafted using ReactJS. Additionally, job roles advertised in these fake interviews target non-technical profiles such as managers in business development or asset management individuals less likely to detect malicious activity during interviews. Lazarus has been active since at least 2009, conducting cyber espionage and financial operations to support North Korea’s missile and nuclear programs. In March 2025, Lazarus executed the largest crypto heist in history, stealing $1.5 billion from Bybit, a UAE-based exchange—an attack that highlights its growing sophistication. Its focus on non-technical employees suggests a strategic pivot aimed at exploiting less vigilant targets while maintaining its overarching goal of financial gain for North Korea. Unlike earlier campaigns focused on decentralized finance (DeFi), this shift aligns with DPRK threat actors’ growing interest in CeFi platforms due to their reliance on intermediaries for transactions. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 31 Mar 2025 12:10:22 +0000


Cyber News related to ClickFake Interview - Lazarus Hackers Exploit Windows & macOS Users Fake Job Campaign

ClickFake Interview - Lazarus Hackers Exploit Windows & macOS Users Fake Job Campaign - The ClickFake Interview campaign builds upon the tactics of Contagious Interview, which targeted software developers via fake job interviews conducted on platforms like LinkedIn or X (formerly Twitter). The Lazarus Group, a North Korean ...
2 months ago Cybersecuritynews.com Lazarus Group
North Korean hackers adopt ClickFix attacks to target crypto firms - Sekoia says that Lazarus impersonates numerous well-known companies in the latest campaign, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, from which the North Korean threat actors recently stole a ...
2 months ago Bleepingcomputer.com
CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago
Lazarus hackers drop new RAT malware using 2-year-old Log4j bug - The new malware are two remote access trojans named NineRAT and DLRAT and a malware downloader named BottomLoader. The D programming language is rarely seen in cybercrime operations, so Lazarus probably chose it for new malware development to evade ...
1 year ago Bleepingcomputer.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
1 year ago Bleepingcomputer.com CVE-2023-42793 Andariel
Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus - In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its ...
1 year ago Darkreading.com Lazarus Group
How to Protect Yourself from Job Scams: Essential Tips - The internet is a powerful tool in our career search, but it also provides cyber criminals with information and tactics they can use to exploit and deceive people looking for work. Job scams are sadly prevalent on the web, and if you’re job ...
2 years ago Tripwire.com
Lazarus hackers breach six companies in watering hole attacks - In the incidents analyzed by Kaspersky, victims are redirected to sites that mimick software vendors, such as the distributor of Cross EX - a tool that enables South Koreans to use security software in various web browsers for online banking and ...
1 month ago Bleepingcomputer.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
2 years ago Therecord.media
Fake browser updates spread updated WarmCookie malware - The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. FakeUpdate is a cyberattack strategy used by a ...
7 months ago Bleepingcomputer.com
Hackers from North Korea Aimed at Medical and Energy Industries - The North Korean Lazarus hacking group has been identified as the perpetrator of a recent cyber espionage operation known as No Pineapple!. This designation highlights the group's malicious activities and its ability to carry out sophisticated ...
2 years ago Cybersecuritynews.com
UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
1 year ago Theregister.com Lazarus Group
OKX suspends DEX aggregator after Lazarus hackers try to launder funds - OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist. OKX is a leading global ...
2 months ago Bleepingcomputer.com Lazarus Group
Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
1 year ago Darkreading.com
North Korean hackers linked to $1.5 billion ByBit crypto heist - Since the attack, crypto fraud investigator ZachXBT has discovered links between the Bybit hackers and the infamous North Korean Lazarus threat group after the attackers sent stolen Bybit funds to an Ethereum address previously ...
3 months ago Bleepingcomputer.com Lazarus Group
Lazarus Hackers Exploit 2-Year-Old Log4j Vulnerability to Deploy New RAT Malware - Researchers warn Lazarus threat actors still exploit known Log4j vulnerability to infect devices with new DLang malware strains. The new campaign, dubbed Operation Blacksmith, became active on March 23. Hackers target manufacturing, agricultural, and ...
1 year ago Heimdalsecurity.com CVE-2021-44228
North Korean Hackers Developing Malware in Dlang Programming Language - The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco's Talos security researchers report. Released in 2001, ...
1 year ago Packetstormsecurity.com Andariel
North Korean Hackers Developing Malware in Dlang Programming Language - The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco's Talos security researchers report. Released in 2001, ...
1 year ago Securityweek.com Andariel
Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
1 month ago Cybersecuritynews.com Lazarus Group
North Korean hackers linked to defense sector supply-chain attack - In an advisory today Germany's federal intelligence agency and South Korea's National Intelligence Service warn of an ongoing cyber-espionage operation targeting the global defense sector on behalf of the North Korean government. The attacks aim to ...
1 year ago Bleepingcomputer.com Lazarus Group
Cybercrime Groups Offering Six-Figure Salaries for IT Talents - Increasingly, organized crime organizations are operating as businesses rather than criminal organizations, advertising jobs on the dark web with a number of advantages for members. A recent Kaspersky study found that 61% of job ads posted by hacking ...
2 years ago Cybersecuritynews.com
GrassCall malware campaign drains crypto wallets via fake job interviews - A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets. Users are tricked into ...
3 months ago Bleepingcomputer.com
US seizes Sinbad crypto mixer used by North Korean Lazarus hackers - The U.S. Department of the Treasury has sanctioned the Sinbad cryptocurrency mixing service for its use as a money-laundering tool by the North Korean Lazarus hacking group. A cryptocurrency mixer is a server that allows people to deposit crypto, ...
1 year ago Bleepingcomputer.com Lazarus Group
FBI confirms Lazarus hackers were behind $1.5B Bybit crypto heist - Since the incident, crypto fraud investigator ZachXBT discovered multiple links to the infamous North Korean threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address used in the Phemex, BingX, and Poloniex hacks ...
3 months ago Bleepingcomputer.com APT3 APT38 Lazarus Group