Sekoia says that Lazarus impersonates numerous well-known companies in the latest campaign, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, from which the North Korean threat actors recently stole a record $1.5 billion. As Lazarus diversifies its attack methods, potential targets must remain vigilant and stay up-to-date with the latest developments, consistently verifying interview invitations before downloading or executing anything on their systems. Starting in February 2025, Sekoia says Lazarus has started using so-called 'ClickFake' campaigns that employ ClickFix tactics to achieve the self-infection step, with the earlier phases of the attack remaining the same. The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi). "By collecting data (i.e. JSON objects) included in all the fake interview websites we identified, we were able to determine which companies were unknowingly used as a lure for these fake interviews," explains Sekoia. This development, reported by Sekoia, is seen as an evolution of the threat actor's 'Contagious Interview' campaign that similarly targets job seekers in the AI and cryptocurrency space. Sekoia has also shared Yara rules that organizations can use to detect and block ClickFake activity in their environments, as well as a complete list of the indicators of compromise associated with the latest Lazarus campaigns. In the ClickFake attacks, Lazarus switched focus from targeting developers and coders to people holding non-technical roles in CeFi companies, such as business developers and marketing managers. In Contagious Interview, first documented in November 2023, Lazarus approaches targets on LinkedIn or X, presenting them with employment opportunities. When the target attempts to record the video using their webcam, a fake error appears, claiming a driver issue is preventing camera access and generating instructions on how to overcome the problem. It then used software and coding test projects hosted on collaboration platforms like GitHub and Bitbucket to trick targets into downloading and running malware loaders on their systems, dropping info-stealers. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. ClickFix is a relatively new but increasingly common tactic where threat actors use fake errors on websites or documents indicating a problem viewing the content. However, the researchers note that the Contagious Interview is still ongoing, indicating that the North Koreans possibly evaluate the effectiveness of the two techniques while running them in parallel. These people are invited to a remote interview by following a link to a legitimate-appearing site built in ReactJS, featuring contact forms, open-ended questions, and a request for a video introduction. The malware can perform file operations, shell command execution, steal Chrome cookies, browsing history, and stored passwords, and also harvest system metadata.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 31 Mar 2025 16:00:15 +0000