icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

North Korean Hackers Adopt Clickfix Attacks to Target Crypto Firms

Summary:
North Korea’s Lazarus Group has adopted a new tactic known as "ClickFix" in its ongoing efforts to compromise job seekers in the cryptocurrency industry, particularly within the centralized finance space. According to cybersecurity firm Sekoia, this marks an evolution of the group’s earlier “Contagious Interview” campaign, which targeted individuals through fake job offers and coding tests. In the new variation, dubbed “ClickFake,” Lazarus impersonates well-known crypto companies such as Coinbase, KuCoin, Kraken, Circle, and Robinhood to lure victims into remote interviews.

Victims are directed to convincing websites built with ReactJS that mimic legitimate job application portals. These sites ask applicants to submit video introductions using their webcams. When attempting to do so, users encounter a fabricated error claiming a driver issue is preventing access to their camera. To "fix" the issue, they are instructed to run specific commands in either the Windows Command Prompt or macOS Terminal, depending on their operating system. These commands execute a Go-based backdoor known as GolangGhost, which establishes persistence through registry changes or LaunchAgent plist files.

Once deployed, GolangGhost connects to a command-and-control (C2) server, registering the infected system and enabling capabilities such as executing shell commands, stealing Chrome cookies, browser history, and stored passwords, and collecting system metadata. Unlike previous efforts that primarily targeted developers and coders, this campaign now focuses on individuals in non-technical roles, such as business development and marketing professionals.



Security Officer Comments:
Sekoia analyzed 184 fake interview invitations and identified 14 different company names being misused as lures. Although the ClickFake tactic is a recent development, the original Contagious Interview approach remains active, suggesting that Lazarus may be testing both methods in parallel.

Suggested Corrections:
To defend against these threats, experts warn users never to execute unknown commands from the internet and to remain cautious when receiving unsolicited interview invitations. Sekoia has also released Yara detection rules and a full list of indicators of compromise (IOCs) to help organizations identify and mitigate this malicious activity.



Link(s):
https://www.bleepingcomputer.com/news/security/north-korean-hackers-adopt-clickfix-attacks-to-target-crypto-firms/


https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/

Contact Us for Threat Assistance
Back to Current Threats