Lazarus group intensifies its attacks with the ClickFake Interview campaign, targeting major cryptocurrency firms and posing a severe security threat

Continue reading
The Lazarus Group, a state-sponsored threat actor linked to North Korea’s Reconnaissance General Bureau (RGB), has long targeted the cryptocurrency industry to fund its regime. Recent findings from Sekoia's Threat Detection and Response (TDR) investigations have revealed a new campaign, "ClickFake Interview," which uses fake job interview websites to deploy sophisticated malware, namely GolangGhost and FrostyFerret. This article unpacks the entire campaign, its technical methodologies, and how it marks a significant evolution in Lazarus' tactics.
Lazarus is one of the most notorious cyber threat groups globally, attributed to North Korea’s intelligence apparatus. The group has been active since at least 2009, specializing in espionage, financial theft, and cyber warfare, focusing on the cryptocurrency ecosystem since 2017. Lazarus uses cybercrime to bypass international sanctions, supporting North Korea's missile and nuclear programs.
Lazarus' shift toward cryptocurrency theft has been well-documented. In 2024 alone, the group was responsible for over $1.3 billion in stolen funds from cryptocurrency platforms, marking a drastic increase in its targeting of centralized financial platforms (CeFi) over decentralized finance (DeFi). This trend signifies Lazarus’ evolving tactics and expanding focus.
In 2025, Sekoia’s TDR team identified ClickFake Interview, a sophisticated campaign by Lazarus that targets job seekers in the cryptocurrency industry. Lazarus deploys malware that facilitates remote access and data exfiltration by exploiting fake job interview websites.
Before ClickFake Interview, Lazarus operated under campaigns like Contagious Interview and Operation Dream Job, targeting software developers and engineers through fake job offers. While these campaigns used similar social engineering tactics, ClickFake Interview leverages a more refined attack method, with distinct technical differences.
The ClickFake Interview campaign begins with the targeting of individuals via social media, where they are invited to participate in a job interview through a fake website. These websites mimic legitimate job platforms and use ReactJS to dynamically load interview content, creating the illusion of a professional recruitment process.
GolangGhost is an interpreted Go-based backdoor used by Lazarus for remote control and data theft. It can exfiltrate browsing data, including credentials and cryptocurrency wallets. GolangGhost supports a variety of commands, such as uploading and downloading files, executing shell commands, and gathering Chrome browser data.
FrostyFerret is a credential stealer that targets macOS systems. When executed, it presents a fake UI prompting the victim for their system password. Regardless of whether the password is entered correctly, the malware exfiltrates the password to an external Dropbox location.
Lazarus has shifted its focus from DeFi to centralized finance (CeFi) platforms, which act as intermediaries for cryptocurrency transactions. CeFi platforms like Coinbase, Kraken, Bybit, and BlockFi are prime targets due to their central control over user funds and transactions.
Unlike previous campaigns targeting software developers and engineers, the ClickFake Interview campaign has expanded its scope to include non-technical profiles, such as business development managers, asset managers, and decentralized finance specialists. This shift in targeting indicates a new strategy aimed at less technically savvy individuals, who are less likely to detect the malicious commands.
The ClickFix tactic has evolved, making detection more difficult. However, security professionals can track suspicious activity by correlating behaviors such as curl.exe, PowerShell, and wscript.exe actions in quick succession. Custom detection rules can be created using tools like Sigma to identify these activities within a short time frame.
Detection rules can correlate actions involving:
Another advanced method for detecting ClickFake activities involves using Sekoia’s Operating Language (SOL), which allows security analysts to hunt for specific indicators like curl commands and wscript execution within a set time frame.
Sekoia provides a series of YARA rules to detect malicious files and scripts associated with the ClickFake Interview campaign. These rules help security teams identify GolangGhost backdoors and other malicious components in the malware chain.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.