From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
Contents
This post was originally distributed as a private FLINT report to our customers on 21 March 2025.
Table of contents
Introduction
In March 2025, Bybit, an UAE-based crypto exchange platform, was targeted by Lazarus, a state-sponsored intrusion set attributed to the Democratic People’s Republic of Korea (DPRK), leading to the theft of $1.5 billion, which represents a record-breaking crypto heist in history.
The targeting of the cryptocurrency ecosystem by North-Korean threat groups is not new. Indeed, this country has used cyber operations as a means to bypass international sanctions and to finance its ballistic missile and nuclear weapons programs since at least 2014. According to Chainalysis, in 2024 DPRK threat actors stole more from cryptocurrency platforms than ever with an estimated heist of $1.3 billion in 2024 compared to $660.5 million in 2023.
A recent TDR investigation on Lazarus attempts to target the cryptocurrency industry led to the discovery of a malicious campaign targeting job …
Table of contents
Introduction
In March 2025, Bybit, an UAE-based crypto exchange platform, was targeted by Lazarus, a state-sponsored intrusion set attributed to the Democratic People’s Republic of Korea (DPRK), leading to the theft of $1.5 billion, which represents a record-breaking crypto heist in history.
The targeting of the cryptocurrency ecosystem by North-Korean threat groups is not new. Indeed, this country has used cyber operations as a means to bypass international sanctions and to finance its ballistic missile and nuclear weapons programs since at least 2014. According to Chainalysis, in 2024 DPRK threat actors stole more from cryptocurrency platforms than ever with an estimated heist of $1.3 billion in 2024 compared to $660.5 million in 2023.
A recent TDR investigation on Lazarus attempts to target the cryptocurrency industry led to the discovery of a malicious campaign targeting job …
IoC
https://api.smartdriverfix.cloud/nvidiawins-update
http://vidcruitermaster.com
http://api.provideodrivers.cloud
http://livehirehub.com
http://talenthiring360.com
http://quickinterview360.com
http://quickskill-review.com
http://api.nvidia-release.org
https://STAGING
http://candidateinsightinfo.com
https://www.archblock.com
http://api.web-cam.cloud
http://api.webcamdrivers.cloud
http://api.drive-release.cloud
http://test-wolf.com
http://competency-core.com
http://api.videotechdrivers.cloud
http://api.camdriversupport.com
http://evalassesso.com
http://72.5.42.93:8080
http://skillhiretrack.com
http://zenspiretech.com
http://talentview360.com
https://api.smartdriverfix.cloud/coremedia-kp9s.sh
http://blockassess.com
http://api.drivercams.cloud
http://devchallengehq.com
http://quickassessio.com
http://assessiohq.com
http://vid-crypto-assess.com
http://154.62.226.22:8080
http://api.camtechdrivers.com
http://api.vcamdriverupdate.cloud
http://skillprooflab.com
http://api.camdriverhub.cloud
http://coinbase-walet.me
http://talentsnaptest.com
http://vidintermaster.com
http://quickhire360.com
http://api.driversnap.cloud
http://vidcruiterinterview.com
http://api.videodriverzone.cloud
http://eskillprof.com
http://api.camdriverstore.cloud
http://blockchainjobhub.com
http://talentcheck.pro
https://DOMAIN/invite/[UUID
http://vidassesspro.com
http://videorecruitpro.com
http://vidhirehub.com
http://api.videocarddrivers.cloud
http://ugethired360.com
http://api.camera-drive.org
http://api.nvidia-drive.cloud
http://api.vidtechhub.cloud
http://coinbase-walet.biz
http://api.driverstream.cloud
http://38.134.148.218:8080
http://jobinterview360.com
http://api.webcamwizard.cloud
http://api.nvidia-release.us
http://toptalentassess.com
http://evalswift.com
http://api.camdrivers.cloud
http://evalvidz.com
http://intervwolf.com
https://api.smartdriverfix.cloud/nvidiadrivers-kp9s.update
http://vidassess360.com
http://api.smartdriverfix.cloud
http://blockchainjobassessment.com
http://api.drivercamhub.cloud
72.5.42.93
154.62.226.22
38.134.148.218
69bf17d2fb810df08180f0d5b7ce4537
ef9f49f14149bed09ca9f590d33e07f3a749e1971a31cb19a035da8d84f97aa0
00b7488d87972e9812e94c69385f6839
3fec701b5e8486081c7062590f4ff947fcf51246cb067f951e90eb43dad930b4
0cbbf7b2b15b561d47e927c37f6e9339fe418badf49fa5f6fc5c49f0dc981100
d583a05680e83b5b4c7ac2d21920384b
bfac94bfb53b4c0ac346706b06296353462a26fa3bb09fbfc99e3ca090ec127e
e52118fc7fc9b14e5a8d9f61dfae8b140488ae6ec6f01f41d9e16782febad5f2
ce37c75d35c82f933e14b00f32c25373
7978d40bd5ca56021f6c250f564e7e27
6289ef57b1772d78da0e54ba4730b6fc79f5ec1620ff63c3abaebea70190eba9
d00ca82a32b5e8063492f27dfec225b0888cd6135db3e2af65be3782bbfa16e5
e88700d069a856e1a16c0da317a6f18fa626dd2d46dcbee1a7403d2e2d9ed097
ba81429101a558418c80857781099e299c351b09c8c8ad47df2494634a5332dc
341ba2e57a0f108be75a1515d32a008a
b7b9e7637a42b5db746f1876a2ecb19330403ecb4ec6f5575db4d94df8ec79e8
887189269c3594e1a851eb22f7c174a7c28618114b7dbaab6b645f34bd809f5a
a803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361
f4b4411e403dd5094eef9c8946522fc9a99cf1676c8de5926b3c343264b126e6
6e186ada6371f5b970b25c78f38511af8d10faaeaed61042271892a327099925
2805e6efa8877f5707d8e6b29610894f
rule apt_Lazarus_MacOs_ClickFake_Interview_bash_installer {
meta:
id = "0f59e291-ac25-4e9a-89b8-54ea7015f769"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects MacOs installer used in ClickFake Interview campaign"
source = "Sekoia.io"
creation_date = "2025-03-19"
classification = "TLP:GREEN"
hash = "2805e6efa8877f5707d8e6b29610894f"
strings:
$s0 = "#!/bin/bash"
$s1 = "PLISST_FILE=~/Library/"
$s2 = "ZIP_URL=$ZIP_"
$s3 = "chmod +x"
condition:
filesize < 5KB and
$s0 at 0 and @s1 < @s2 and @s2 < @s3
}
rule apt_Lazarus_ClickFake_GolangGhost_Compiled {
meta:
id = "f0d1d82e-7cb5-4324-8f11-310d0dc26e48"
version = "1.0"
malware = "GolangGhost"
intrusion_set = "Lazarus"
description = "Detects Lazarus compiled Go Backdoor"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
strings:
$ = "bits-project/bits/util"
$ = "unknown auto mode"
$ = "%s.tar.gz"
$ = "AutoModeChromeGather"
$ = "UUID: %s, URL: %s"
condition:
(
(uint16(0) == 0x5a4d) or
(uint32(0)==0x464c457f) or
(uint32(0) == 0xfeedfacf) or
(uint32(0) == 0xcffaedfe) or
(uint32(0) == 0xfeedface) or
(uint32(0) == 0xcefaedfe)
) and 4 of them
}
rule apt_Lazarus_ClickFake_ZIP_with_GolangGhost {
meta:
id = "2cfea7bc-ea80-4bf7-b647-364e01a631ff"
version = "1.0"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects Lazarus's ZIP file with Go Stealer"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "00b7488d87972e9812e94c69385f6839"
strings:
$ = { (9A 18| 84 17) 00 00 [4-12] 2F 63 68 72 6F 6D 65 5F 63 6F 6F 6B 69 65 5F 64 61 72 77 69 6E 2E 67 6F}
$ = { (BF 05 | 36 06) 00 00 [4-12] 2F 62 61 73 69 63 2E 67 }
$ = { (08 24 | 95 22 ) 00 00 [4-12] 2F 63 68 72 6F 6D 65 5F 63 6F 6F 6B 69 65 5F 6F 74 68 65 72 2E 67 6F }
condition:
uint32be(0) == 0x504b0304 and
1 of them
}
rule apt_Lazarus_ClickFake_JavaScript {
meta:
id = "9037b056-c6a9-4089-a30c-377e7461e83e"
version = "1.0"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects ReactJS code used in ClickFake campaign"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "d583a05680e83b5b4c7ac2d21920384b"
strings:
$ = "/invite/${"
$ = "inviteUUID" nocase
$ = "The content is copied to the clipboard"
$ = "react.element"
$ = "Interview" nocase
condition:
all of them and filesize < 5MB
}
rule apt_Lazarus_ClickFake_Go_Backdoor_strings {
meta:
id = "77f85517-2446-4251-a684-10888312f190"
version = "1.0"
malware = "GolangGhost"
intrusion_set = "Lazarus"
description = "Detect's Lazarus Go interpreted Backdoor"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "341ba2e57a0f108be75a1515d32a008a"
strings:
$ = "func processInfo("
$ = "func processUpload("
$ = "func processWait("
$ = "func processOsShell("
$ = "func StartMainLoop("
condition:
uint32be(0) == 0x7061636b and
3 of them
}
rule apt_Lazarus_ClickFake_NodeJS_Downloader {
meta:
id = "c74b47ef-7105-4382-b4af-80652ad4047d"
version = "1.0"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects the NodeJS Downloader"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "7978d40bd5ca56021f6c250f564e7e27"
strings:
$ = "spawn('tar', ['-xf"
$ = "/t', 'REG_SZ"
$ = "curl/"
condition:
uint32be(0) == 0x636f6e73 and
filesize < 10KB and
all of them
}
rule apt_Lazarus_ClickFake_NodeVBS_Launcher {
meta:
id = "7c869b72-21ff-463c-b12e-cbd629ca8cc6"
version = "1.0"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects Node VBS launcher used in the ClickFake campaign"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "ce37c75d35c82f933e14b00f32c25373"
strings:
$s = "objShell.Run \"cmd /c node "
condition:
uint32be(0) == 0x53657420 and
$s in (filesize-50..filesize)
}
rule apt_Lazarus_ClickFake_Interview_FrostyFerret {
meta:
id = "12f06933-b0f0-438f-a139-6d0b25ff32e1"
malware = "FrostyFerret"
intrusion_set = "Lazarus"
description = "Detects FrostyFerret based on strings"
source = "Sekoia.io"
creation_date = "2025-03-19"
classification = "TLP:GREEN"
hash = "69bf17d2fb810df08180f0d5b7ce4537"
strings:
$ = "content.dropboxapi.com/2/files/upload"
$ = "Failed to get public IP address."
$ = "Failed to convert password to data"
$ = "The password you entered is incorrect. Please try again."
$ = "Please enter your password to proceed."
condition:
uint32be(0) == 0xcafebabe and
3 of them
}
http://vidcruitermaster.com
http://api.provideodrivers.cloud
http://livehirehub.com
http://talenthiring360.com
http://quickinterview360.com
http://quickskill-review.com
http://api.nvidia-release.org
https://STAGING
http://candidateinsightinfo.com
https://www.archblock.com
http://api.web-cam.cloud
http://api.webcamdrivers.cloud
http://api.drive-release.cloud
http://test-wolf.com
http://competency-core.com
http://api.videotechdrivers.cloud
http://api.camdriversupport.com
http://evalassesso.com
http://72.5.42.93:8080
http://skillhiretrack.com
http://zenspiretech.com
http://talentview360.com
https://api.smartdriverfix.cloud/coremedia-kp9s.sh
http://blockassess.com
http://api.drivercams.cloud
http://devchallengehq.com
http://quickassessio.com
http://assessiohq.com
http://vid-crypto-assess.com
http://154.62.226.22:8080
http://api.camtechdrivers.com
http://api.vcamdriverupdate.cloud
http://skillprooflab.com
http://api.camdriverhub.cloud
http://coinbase-walet.me
http://talentsnaptest.com
http://vidintermaster.com
http://quickhire360.com
http://api.driversnap.cloud
http://vidcruiterinterview.com
http://api.videodriverzone.cloud
http://eskillprof.com
http://api.camdriverstore.cloud
http://blockchainjobhub.com
http://talentcheck.pro
https://DOMAIN/invite/[UUID
http://vidassesspro.com
http://videorecruitpro.com
http://vidhirehub.com
http://api.videocarddrivers.cloud
http://ugethired360.com
http://api.camera-drive.org
http://api.nvidia-drive.cloud
http://api.vidtechhub.cloud
http://coinbase-walet.biz
http://api.driverstream.cloud
http://38.134.148.218:8080
http://jobinterview360.com
http://api.webcamwizard.cloud
http://api.nvidia-release.us
http://toptalentassess.com
http://evalswift.com
http://api.camdrivers.cloud
http://evalvidz.com
http://intervwolf.com
https://api.smartdriverfix.cloud/nvidiadrivers-kp9s.update
http://vidassess360.com
http://api.smartdriverfix.cloud
http://blockchainjobassessment.com
http://api.drivercamhub.cloud
72.5.42.93
154.62.226.22
38.134.148.218
69bf17d2fb810df08180f0d5b7ce4537
ef9f49f14149bed09ca9f590d33e07f3a749e1971a31cb19a035da8d84f97aa0
00b7488d87972e9812e94c69385f6839
3fec701b5e8486081c7062590f4ff947fcf51246cb067f951e90eb43dad930b4
0cbbf7b2b15b561d47e927c37f6e9339fe418badf49fa5f6fc5c49f0dc981100
d583a05680e83b5b4c7ac2d21920384b
bfac94bfb53b4c0ac346706b06296353462a26fa3bb09fbfc99e3ca090ec127e
e52118fc7fc9b14e5a8d9f61dfae8b140488ae6ec6f01f41d9e16782febad5f2
ce37c75d35c82f933e14b00f32c25373
7978d40bd5ca56021f6c250f564e7e27
6289ef57b1772d78da0e54ba4730b6fc79f5ec1620ff63c3abaebea70190eba9
d00ca82a32b5e8063492f27dfec225b0888cd6135db3e2af65be3782bbfa16e5
e88700d069a856e1a16c0da317a6f18fa626dd2d46dcbee1a7403d2e2d9ed097
ba81429101a558418c80857781099e299c351b09c8c8ad47df2494634a5332dc
341ba2e57a0f108be75a1515d32a008a
b7b9e7637a42b5db746f1876a2ecb19330403ecb4ec6f5575db4d94df8ec79e8
887189269c3594e1a851eb22f7c174a7c28618114b7dbaab6b645f34bd809f5a
a803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361
f4b4411e403dd5094eef9c8946522fc9a99cf1676c8de5926b3c343264b126e6
6e186ada6371f5b970b25c78f38511af8d10faaeaed61042271892a327099925
2805e6efa8877f5707d8e6b29610894f
rule apt_Lazarus_MacOs_ClickFake_Interview_bash_installer {
meta:
id = "0f59e291-ac25-4e9a-89b8-54ea7015f769"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects MacOs installer used in ClickFake Interview campaign"
source = "Sekoia.io"
creation_date = "2025-03-19"
classification = "TLP:GREEN"
hash = "2805e6efa8877f5707d8e6b29610894f"
strings:
$s0 = "#!/bin/bash"
$s1 = "PLISST_FILE=~/Library/"
$s2 = "ZIP_URL=$ZIP_"
$s3 = "chmod +x"
condition:
filesize < 5KB and
$s0 at 0 and @s1 < @s2 and @s2 < @s3
}
rule apt_Lazarus_ClickFake_GolangGhost_Compiled {
meta:
id = "f0d1d82e-7cb5-4324-8f11-310d0dc26e48"
version = "1.0"
malware = "GolangGhost"
intrusion_set = "Lazarus"
description = "Detects Lazarus compiled Go Backdoor"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
strings:
$ = "bits-project/bits/util"
$ = "unknown auto mode"
$ = "%s.tar.gz"
$ = "AutoModeChromeGather"
$ = "UUID: %s, URL: %s"
condition:
(
(uint16(0) == 0x5a4d) or
(uint32(0)==0x464c457f) or
(uint32(0) == 0xfeedfacf) or
(uint32(0) == 0xcffaedfe) or
(uint32(0) == 0xfeedface) or
(uint32(0) == 0xcefaedfe)
) and 4 of them
}
rule apt_Lazarus_ClickFake_ZIP_with_GolangGhost {
meta:
id = "2cfea7bc-ea80-4bf7-b647-364e01a631ff"
version = "1.0"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects Lazarus's ZIP file with Go Stealer"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "00b7488d87972e9812e94c69385f6839"
strings:
$ = { (9A 18| 84 17) 00 00 [4-12] 2F 63 68 72 6F 6D 65 5F 63 6F 6F 6B 69 65 5F 64 61 72 77 69 6E 2E 67 6F}
$ = { (BF 05 | 36 06) 00 00 [4-12] 2F 62 61 73 69 63 2E 67 }
$ = { (08 24 | 95 22 ) 00 00 [4-12] 2F 63 68 72 6F 6D 65 5F 63 6F 6F 6B 69 65 5F 6F 74 68 65 72 2E 67 6F }
condition:
uint32be(0) == 0x504b0304 and
1 of them
}
rule apt_Lazarus_ClickFake_JavaScript {
meta:
id = "9037b056-c6a9-4089-a30c-377e7461e83e"
version = "1.0"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects ReactJS code used in ClickFake campaign"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "d583a05680e83b5b4c7ac2d21920384b"
strings:
$ = "/invite/${"
$ = "inviteUUID" nocase
$ = "The content is copied to the clipboard"
$ = "react.element"
$ = "Interview" nocase
condition:
all of them and filesize < 5MB
}
rule apt_Lazarus_ClickFake_Go_Backdoor_strings {
meta:
id = "77f85517-2446-4251-a684-10888312f190"
version = "1.0"
malware = "GolangGhost"
intrusion_set = "Lazarus"
description = "Detect's Lazarus Go interpreted Backdoor"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "341ba2e57a0f108be75a1515d32a008a"
strings:
$ = "func processInfo("
$ = "func processUpload("
$ = "func processWait("
$ = "func processOsShell("
$ = "func StartMainLoop("
condition:
uint32be(0) == 0x7061636b and
3 of them
}
rule apt_Lazarus_ClickFake_NodeJS_Downloader {
meta:
id = "c74b47ef-7105-4382-b4af-80652ad4047d"
version = "1.0"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects the NodeJS Downloader"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "7978d40bd5ca56021f6c250f564e7e27"
strings:
$ = "spawn('tar', ['-xf"
$ = "/t', 'REG_SZ"
$ = "curl/"
condition:
uint32be(0) == 0x636f6e73 and
filesize < 10KB and
all of them
}
rule apt_Lazarus_ClickFake_NodeVBS_Launcher {
meta:
id = "7c869b72-21ff-463c-b12e-cbd629ca8cc6"
version = "1.0"
intrusion_set = "Lazarus"
malware = "GolangGhost"
description = "Detects Node VBS launcher used in the ClickFake campaign"
source = "Sekoia.io"
creation_date = "2025-03-20"
classification = "TLP:GREEN"
hash = "ce37c75d35c82f933e14b00f32c25373"
strings:
$s = "objShell.Run \"cmd /c node "
condition:
uint32be(0) == 0x53657420 and
$s in (filesize-50..filesize)
}
rule apt_Lazarus_ClickFake_Interview_FrostyFerret {
meta:
id = "12f06933-b0f0-438f-a139-6d0b25ff32e1"
malware = "FrostyFerret"
intrusion_set = "Lazarus"
description = "Detects FrostyFerret based on strings"
source = "Sekoia.io"
creation_date = "2025-03-19"
classification = "TLP:GREEN"
hash = "69bf17d2fb810df08180f0d5b7ce4537"
strings:
$ = "content.dropboxapi.com/2/files/upload"
$ = "Failed to get public IP address."
$ = "Failed to convert password to data"
$ = "The password you entered is incorrect. Please try again."
$ = "Please enter your password to proceed."
condition:
uint32be(0) == 0xcafebabe and
3 of them
}