Lazarus Group Evolves Tactics to Target CeFi Job Seekers with ‘ClickFix’ Malware

A recent cybersecurity report by Sekoia revealed an evolving threat posed by the Lazarus Group, the notorious North Korea-linked hacking group. It is now leveraging a tactic known as “ClickFix” to target job seekers in the cryptocurrency sector, particularly within centralized finance (CeFi).

This approach marks an adaptation of the group’s earlier “Contagious Interview” campaign, which was previously aimed at developers and engineers in artificial intelligence and crypto-related roles.

Lazarus Exploits Crypto Hiring

In the newly observed campaign, Lazarus has shifted its focus to non-technical professionals, such as marketing and business development personnel, by impersonating major crypto firms like Coinbase, KuCoin, Kraken, and even stablecoin issuer Tether.

The attackers build fraudulent websites mimicking job application portals and lure candidates with fake interview invitations. These sites often include realistic application forms and even requests for video introductions, fostering a sense of legitimacy.

However, when a user attempts to record a video, they are shown a fabricated error message, which typically suggests a webcam or driver malfunction. The page then prompts the user to run PowerShell commands under the guise of troubleshooting, thereby triggering the malware download.

This ClickFix method, though relatively new, is becoming more prevalent due to its psychological simplicity – since users believe they are resolving a technical issue, and not executing malicious code. According to Sekoia, the campaign draws on materials from 184 fake interview invitations, referencing at least 14 prominent companies to bolster credibility.

As such, the latest tactic demonstrates Lazarus’s growing sophistication in social engineering and its ability to exploit the professional aspirations of individuals in the competitive crypto job market. Interestingly, this shift also suggests that the group is expanding its targeting criteria by aiming not just at those with access to code or infrastructure but also at those who might handle sensitive internal data or be in a position to facilitate breaches inadvertently.

Despite the emergence of ClickFix, Sekoia reported that the original Contagious Interview campaign remains active. This parallel deployment of strategies suggests that North Korea’s state-sponsored collective may be testing their relative effectiveness or tailoring tactics to different target demographics. In both cases, the campaigns share a consistent goal – delivering info-stealing malware through trusted channels and manipulating victims into self-infection.

Lazarus Behind Bybit Hack

The Federal Bureau of Investigation (FBI) officially attributed the $1.5 billion attack on Bybit to the Lazarus Group. Hackers targeting the crypto exchange employed fake job offers to trick staff into installing tainted trading software known as “TraderTraitor.”

Although crafted to look authentic through cross-platform JavaScript and Node.js development, the applications embedded malware designed to steal private keys and execute illicit transactions on the blockchain.