The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems.
The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by French cybersecurity company Sekoia. Contagious Interview, also tracked as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, is known to be active since at least December 2022, although it was only publicly documented for the first time in late 2023.
“It uses legitimate job interview websites to leverage the ClickFix tactic and install Windows and macOS backdoors,” Sekoia researchers Amaury G., Coline Chavane, and Felix Aimé said, attributing the effort to the infamous Lazarus Group, a prolific adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK).
A notable aspect of the campaign is that it primarily targets centralized finance entities by impersonating companies like Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, marking a departure from the hacking group’s attacks against decentralized finance (DeFi) entities.
Contagious Interview, like Operation Dream Job, employs fake job offers as lures to attract prospective targets and dupe them into downloading malware that can steal cryptocurrency and other sensitive data.
As part of the effort, candidates are approached via LinkedIn or X to prepare for a video call interview, for which they are asked to download a malware-laced videoconferencing software or open-source project that activates the infection process.
Lazarus Group’s use of the ClickFix tactic was first disclosed towards the end of 2024 by security researcher Taylor Monahan, with the attack chains leading to the deployment of a family of malware called FERRET that then delivers the Golang backdoor.
In this iteration of the campaign, victims are asked to visit a purported video interviewing service named Willo and complete a video assessment of themselves.
“The entire setup, meticulously designed to build user trust, proceeds smoothly until the user is asked to enable their camera,” Sekoia explained. “At this point, an error message appears indicating that the user needs to download a driver to fix the issue. This is where the operator employs the ClickFix technique.”
The instructions given to the victim to enable access to the camera or microphone vary depending on the operating system used. On Windows, the targets are prompted to open Command Prompt and execute a curl command to execute a Visual Basic Script (VBS) file, which then launches a batch script to run GolangGhost.
In the event the victim is visiting the site from a macOS machine, they are similarly asked to launch the Terminal app and run a curl command to run a shell script. The malicious shell script, for its part, runs a second shell script that, in turn, executes a stealer module dubbed FROSTYFERRET (aka ChromeUpdateAlert) and the backdoor.
FROSTYFERRET displays a fake window stating the Chrome web browser needs access to the user’s camera or microphone, after which it displays a prompt to enter the system password. The entered information, regardless of whether it’s valid or otherwise, is exfiltrated to a Dropbox location, likely indicating an attempt to access the iCloud Keychain using the stolen password.
GolangGhost is engineered to facilitate remote control and data theft through several commands that allow it to upload/download files, send host information, and steal web browser data.
“It was found that all the positions were not related to technical profiles in software development,” Sekia noted. “They are mainly jobs of manager focusing on business development, asset management, product development or decentralised finance specialists.”
“This is a significant change from previous documented campaigns attributed to DPRK-nexus threat actors and based on fake job interviews, which mainly targeted developers and software engineers.”
North Korea IT Worker Scheme Becomes Active in Europe
The development comes as the Google Threat Intelligence Group (GTIG) said it has observed a surge in the fraudulent IT worker scheme in Europe, underscoring a significant expansion of their operations beyond the United States.
The IT worker activity entails North Korean nationals posing as legitimate remote workers to infiltrate companies and generate illicit revenue for Pyongyang in violation of international sanctions.
Increased awareness of the activity, coupled with the U.S. Justice Department indictments, have instigated a “global expansion of IT worker operations,” Google said, noting it uncovered several fabricated personas seeking employment in various organizations located in Germany and Portugal.
The IT workers have also been observed undertaking various projects in the United Kingdom related to web development, bot development, content management system (CMS) development, and blockchain technology, often falsifying their identities and claiming to be from Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam.
This tactic of IT workers posing as Vietnamese, Japanese, and Singaporean nationals was also highlighted by managed intelligence firm Nisos early last month, while also pointing out their use of GitHub to carve new personas or recycle portfolio content from older personas to reinforce their new ones.
“IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer,” Jamie Collier, Lead Threat Intelligence Advisor for Europe at GTIG, said. “Payment for their services was facilitated through cryptocurrency, the TransferWise service, and Payoneer, highlighting the use of methods that obfuscate the origin and destination of funds.”
Besides using local facilitators to help them land jobs, the insider threat operation is witnessing what appears to be a spike in extortion attempts since October 2024, when it became public knowledge that these IT workers are resorting to ransom payments from their employers to prevent them from releasing proprietary data or to provide it to a competitor.
In what appears to be a further evolution of the scheme, the IT workers are now said to be targeting companies that operate a Bring Your Own Device (BYOD) policy owing to the fact that such devices are unlikely to have traditional security and logging tools used in enterprise environments.
“Europe needs to wake up fast. Despite being in the crosshairs of IT worker operations, too many perceive this as a US problem. North Korea’s recent shifts likely stem from US operational hurdles, showing IT workers’ agility and ability to adapt to changing circumstances,” Collier said.
“A decade of diverse cyberattacks precedes North Korea’s latest surge – from SWIFT targeting and ransomware, to cryptocurrency theft and supply chain compromise. This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations.”
https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html
