The ClickFake Interview campaign builds upon the tactics of Contagious Interview, which targeted software developers via fake job interviews conducted on platforms like LinkedIn or X (formerly Twitter). The Lazarus Group, a North Korean state-sponsored hacking collective, has launched a new campaign dubbed ClickFake Interview, targeting job seekers in the cryptocurrency industry. Analysis of fake interview websites revealed that Lazarus primarily targets centralized finance (CeFi) entities like Coinbase, Kraken, Bybit, and Robinhood. The campaign represents an evolution of the previously documented Contagious Interview campaign, showcasing Lazarus’ adaptability and persistent focus on exploiting the cryptocurrency ecosystem. Since 2017, the group has increasingly targeted cryptocurrency entities, leveraging malware, supply chain attacks, trojanized applications, and fake job offers. The ClickFake Interview campaign underscores Lazarus’ adaptability and sophistication in targeting cryptocurrency entities. By leveraging fake job offers and evolving tactics like ClickFix, the group continues to pose significant threats to centralized finance platforms globally. This malicious operation uses fake job interview websites to deploy a Go-based backdoor, known as GolangGhost, on both Windows and macOS systems. In this new campaign, attackers lure victims to fake interview websites crafted using ReactJS. Additionally, job roles advertised in these fake interviews target non-technical profiles such as managers in business development or asset management individuals less likely to detect malicious activity during interviews. Lazarus has been active since at least 2009, conducting cyber espionage and financial operations to support North Korea’s missile and nuclear programs. In March 2025, Lazarus executed the largest crypto heist in history, stealing $1.5 billion from Bybit, a UAE-based exchange—an attack that highlights its growing sophistication. Its focus on non-technical employees suggests a strategic pivot aimed at exploiting less vigilant targets while maintaining its overarching goal of financial gain for North Korea. Unlike earlier campaigns focused on decentralized finance (DeFi), this shift aligns with DPRK threat actors’ growing interest in CeFi platforms due to their reliance on intermediaries for transactions. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 31 Mar 2025 12:10:22 +0000