The North Korea-linked APT tracked as Lazarus has been using the ClickFix technique to deliver malware in recent attacks involving fake job opportunities for cryptocurrency developers.
Lazarus has been targeting the cryptocurrency ecosystem for years, stealing roughly $2 billion in virtual assets in 2023 and 2024. In March 2025, Lazarus stole $1.5 billion in cryptocurrency from UAE-based crypto exchange platform Bybit.
The group is also known to have targeted software developers, mainly those interested in cryptocurrency, as part of multiple campaigns, such as Operation Dream Job, Contagious Interview, and DeceptiveDevelopment.
According to cybersecurity firm Sekoia, the newly identified attacks are a continuation of the Contagious Interview campaign, which started in 2022, targeting cryptocurrency developers looking for new job opportunities with a Go backdoor named GolangGhost.
Dubbed ClickFake Interview, the fresh campaign relies on multiple fake job interview websites using the ClickFix technique to trick Windows and macOS users into installing malware.
The attacks begin with social media messages inviting the unsuspecting victims to fake cryptocurrency-related interviews. The target is served the URL for a third-party website where the fake interview is supposed to take place.
The threat actor set up dozens of fake interview websites, sending hundreds of invitations (Sekoia retrieved 184 different invitations) and impersonating over a dozen centralized and decentralized finance entities, including Coinbase, Archblock, KuCoin Exchange, Ripple, and Chainalysis.
The fake interview websites have the same user interface, use ReactJS to dynamically load content from a JavaScript file, and include around 10 tailored invitations.
Once on the website, the victim is asked to complete several steps, including filling out a contact form, responding to several questions, and using their device’s camera to record an introductory video, before getting ready for the interview.
The ClickFix technique is triggered when the victim attempts to enable the camera: the website serves them an error message claiming a driver needs to be installed and instructing them to download it by executing a specific code using the command prompt on Windows, or the Terminal app on macOS.
The infection chain results in the installation of GolangGhost, a backdoor written in Go that allows the attackers to download/upload files, execute shell commands, launch a Chrome stealer, and retrieve system information.
“It was found that all the positions were not related to technical profiles in software development. They are mainly jobs of manager focusing on business development, asset management, product development or decentralized finance specialists,” Sekoia notes.
Related: North Korean Hackers Targeting Freelance Software Developers
Related: North Korean APT Exploited IE Zero-Day in Supply Chain Attack
Related: North Korean Hackers Distributed Android Spyware via Google Play
Related: Iranian Hackers Target Aerospace Industry in ‘Dream Job’ Campaign
