North Korean Cyber Threats: The Rising Danger of ClickFix and GolangGhost Malware

By /

Listen to this Post

In recent months, cybersecurity researchers have uncovered a disturbing trend in the activities of North Korean hackers. These threat actors, linked to the infamous Lazarus Group, have introduced a new social engineering tactic called ClickFix. This method is being used to lure job seekers, particularly in the cryptocurrency sector, into downloading a previously unknown Go-based malware backdoor called GolangGhost, which targets both Windows and macOS systems. This development marks an evolution in their campaign and a shift in focus from decentralized finance (DeFi) entities to centralized finance institutions.

Summary

North Korean hackers have adopted the ClickFix social engineering tactic, luring job seekers in the cryptocurrency sector with fake job offers that ultimately lead to the installation of malware. This new tactic is part of an ongoing campaign, codenamed ClickFake Interview, first identified by French cybersecurity company Sekoia. The hackers, attributed to the Lazarus Group, have been operating under various names like Contagious Interview and DeceptiveDevelopment since late 2022.

The campaign involves impersonating legitimate companies in the cryptocurrency world, such as Coinbase, KuCoin, and Kraken, and using fake job interviews to deliver the malware. Victims are approached via platforms like LinkedIn or X, where they are asked to download a malicious video conferencing app that is used to deploy the malware.

The malware itself, named GolangGhost, is a sophisticated backdoor that enables remote control of infected systems. On Windows systems, it runs via a Visual Basic Script (VBS), while on macOS, a shell script is used to trigger the infection. The malware also includes a stealer module known as FROSTYFERRET, which collects sensitive information such as passwords, particularly targeting iCloud credentials.

Interestingly, the malware campaign specifically targets non-technical job positions like business development or asset management roles, signaling a departure from the typical focus on software developers in previous attacks. This shift reflects an expansion of the Lazarus Group’s tactics, which now include both centralized and decentralized financial targets.

What Undercode Says: A Deeper Analysis

The Lazarus Group’s use of social engineering tactics, especially through the ClickFix method, is a significant development in their ongoing cyber-espionage campaign. The decision to target job seekers in the cryptocurrency sector is no coincidence. Cryptocurrency remains a high-value target for North Korean hackers due to its association with large financial transactions that can easily be exploited for profit. The malware, GolangGhost, is sophisticated and designed for stealth. Its ability to control infected systems remotely and exfiltrate sensitive data, such as web browser information and passwords, makes it a highly effective tool for cybercriminals.

The use of fake job interviews as a lure is a notable shift in the tactics employed by Lazarus Group. In the past, the group primarily targeted software developers and engineers. Now, however, they are expanding their scope to include business professionals, likely to cast a wider net and exploit new vulnerabilities. By targeting non-technical job roles, the threat actors are increasing their chances of success, as many job seekers might not be as tech-savvy, making them more susceptible to malware infections.

Another interesting element of this campaign is the focus on centralized financial institutions. Previously, the Lazarus Group’s attacks were largely directed at decentralized finance (DeFi) entities, such as cryptocurrency exchanges and platforms. However, in this iteration, they appear to be targeting more established, centralized platforms like Coinbase and Kraken. This shift suggests that the group is diversifying its targets and possibly adjusting its strategy based on emerging opportunities in the global financial landscape.

The campaign’s success hinges on its ability to build user trust through legitimate-looking job offers and video interview setups. The psychological manipulation involved in asking victims to download a seemingly innocuous video conferencing app, only for it to install malware on their systems, demonstrates the group’s increasing sophistication in social engineering. The malware itself is highly versatile, designed to infect both Windows and macOS systems, and capable of stealing a wide range of sensitive data.

Furthermore, the Lazarus

Fact Checker Results

  1. The ClickFix tactic, coupled with the GolangGhost malware, has proven effective in exploiting job seekers, particularly those in the cryptocurrency sector.

2. Lazarus

  1. The surge in fraudulent IT worker schemes in Europe indicates a broader shift in North Korea’s cyber operations, signaling a global expansion beyond the United States.

This evolution in tactics and the strategic targeting of new sectors suggest that the Lazarus Group will continue to refine and diversify its methods, making it a significant threat to both financial institutions and individuals globally.

References:

Reported By: https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: