Full Report
New “ClickFake Interview” campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
* **Attribution:** North Korean Lazarus Group.
* **Known Aliases and Groups:** Not explicitly named beyond Lazarus Group, but the campaign is characterized as a continuation of their long-running strategy.
## Activity Summary
The actor is currently running a cyber campaign dubbed **“ClickFake Interview.”**
* **Method:** Uses social engineering tactics centered around fake job postings found on platforms like LinkedIn or X (formerly Twitter).
* **Operation:** Threat actors pose as recruiters and invite cryptocurrency professionals to interviews. Victims are then tricked into opening malicious attachments or clicking compromised links, leading to malware infection.
## Tactics, Techniques & Procedures
* **Social Engineering:** Posing as recruiters to gain trust and lure targets (Spearphishing/Social Media Lures).
* **Initial Access:** Delivery of malware via malicious documents or compromised links presented during the "interview" process.
* **Execution/Impact:** Installation of the **ClickFix** malware, which grants remote access to the victim's system.
* **Objective Achievement:** Stealing sensitive data, specifically including cryptocurrency wallet credentials.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
* **Sectors:** Cryptocurrency sector/professionals.
* **Geography:** Not explicitly stated, but global targeting is implied based on the nature of the platforms used (LinkedIn, X) and the targeted industry.
* **Victims:** Cryptocurrency professionals seeking employment.
## Tools & Infrastructure
* **Malware Families Used:** **ClickFix** malware.
* **Infrastructure (C2, domains, IPs):** Not specified, other than that it enables remote access.
## Implications
The Lazarus Group continues to adapt its targeting to high-value sectors like cryptocurrency to secure funding for the North Korean regime. The use of sophisticated social engineering tactics focused on highly sought-after job roles (crypto professionals) lowers the technical barrier to entry for the initial infection while maximizing the potential reward (crypto wallet credentials).
## Mitigations
* **Vigilance:** Exercise extreme caution regarding unsolicited job offers, especially those originating from social media platforms, that require opening attachments or clicking unverified links.
* **Verification:** Thoroughly verify the legitimacy of recruiters and organizations offering interviews, particularly when dealing with cryptocurrency-related roles.
* **Endpoint Security:** Ensure robust endpoint protection capable of detecting and blocking the execution of newly introduced malware like ClickFix.
* **Data Protection:** Implement multi-factor authentication and stronger controls around cryptocurrency wallet credentials.