New ClickFake Interview Attack Using ClickFix Technique to Deliver GolangGhost Malware

The Lazarus Group’s long-running recruitment lure has resurfaced as “ClickFake Interview”, anchored on the freshly registered waventic[.]com site.

Candidates progress through a slick JavaScript form that ends with a bogus webcam “driver” download, actually planting the cross-platform GolangGhost malware.

Sekoia.io threat-defence researchers noted that the operators recycled the “ClickFix” web template first profiled in March 2025, but have now integrated geolocation filters and CAPTCHA to deter casual scanning.

The analysts traced more than forty companion domains spawned since April, all funnelling traffic toward apply[.]waventic[.]com before serving a statically linked Go binary compiled for Windows, Linux and macOS.

The reinvigorated social engineering loop leverages stolen LinkedIn profiles and Telegram channels to appear legitimate, then abuses browser push-notifications to prompt the file transfer.

Once executed, GolangGhost immediately contacts hard-coded C2 endpoints over TLS-wrapped WebSockets, exporting a full inventory of running processes and OS-level metadata within seconds.

Early telemetry shows finance and blockchain start-ups in Europe and Southeast Asia among the first victims, with several macOS arm64 hosts already leaking credential vaults.

Delivered as a self-contained Go executable, the sample often bypasses signature-based antivirus engines that treat it as benign build output.

Infection mechanism

At launch GolangGhost drops a per-user copy into the OS-specific autostart directory and registers persistence keys named “SysDrvX %RAND%”.

The binary’s minimal footprint stems from dynamic module loading, most capabilities are fetched on demand via base64-encoded gRPC blobs.

The following excerpt, recovered during sandboxing, shows the loader decompressing its plugin package:-

blob, _ := base64.StdEncoding.DecodeString(pkg)
r, _ := zlib.NewReader(bytes.NewReader(blob))
io.Copy(os.TempDir()+"/"+modName, r)
cmd := exec.Command(os.TempDir()+"/"+modName, "-m", "init")
cmd.Start()

Security teams should monitor outbound WebSocket traffic to unfamiliar domains and flag Go executables spawning shell processes outside the user profile.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now