From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
2025-03-31 • SEKOIA •
https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
Sekoia describes ClickFake Interview, a Lazarus campaign that targets cryptocurrency job seekers through fake interview websites and uses ClickFix-style instructions to make victims run malicious commands. The operation is assessed with high confidence as a continuation of Contagious Interview, based on overlaps in social engineering flow and infrastructure. Windows victims receive a VBS and NodeJS chain that installs the GolangGhost backdoor, while macOS victims run a Bash chain that drops malicious components, uses FrostyFerret to steal the system password, and then launches GolangGhost for remote control and browser data theft. Sekoia says the campaign focuses on centralized finance targets and may be aimed at less technical crypto employees who are less likely to question the command prompt.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 154.62.226.22 | 2025-03-31 | 2026-01-21 |
| IPv4 | 38.134.148.218 | 2025-03-31 | 2026-01-21 |
| DOMAIN | evalvidz.com | 2025-03-31 | 2025-09-04 |
| DOMAIN | vidhirehub.com | 2025-03-31 | 2025-09-04 |
| DOMAIN | evalassesso.com | 2025-03-31 | 2025-09-04 |
| DOMAIN | vidassesspro.com | 2025-03-31 | 2025-09-04 |
| DOMAIN | evalswift.com | 2025-03-31 | 2025-08-28 |
| HASH | ba81429101a558418c80857781099e2… | 2025-03-31 | 2025-08-25 |
| HASH | e88700d069a856e1a16c0da317a6f18… | 2025-03-31 | 2025-08-25 |
| HASH | 0cbbf7b2b15b561d47e927c37f6e933… | 2025-03-31 | 2025-08-25 |
| HASH | 6e186ada6371f5b970b25c78f38511a… | 2025-03-31 | 2025-08-25 |
| HASH | d00ca82a32b5e8063492f27dfec225b… | 2025-03-31 | 2025-08-25 |
| HASH | 887189269c3594e1a851eb22f7c174a… | 2025-03-31 | 2025-08-25 |
| HASH | 6289ef57b1772d78da0e54ba4730b6f… | 2025-03-31 | 2025-08-25 |
| HASH | b7b9e7637a42b5db746f1876a2ecb19… | 2025-03-31 | 2025-08-25 |
| HASH | 3fec701b5e8486081c7062590f4ff94… | 2025-03-31 | 2025-08-25 |
| HASH | ef9f49f14149bed09ca9f590d33e07f… | 2025-03-31 | 2025-08-25 |
| HASH | f4b4411e403dd5094eef9c8946522fc… | 2025-03-31 | 2025-08-25 |
| DOMAIN | api.camdriversupport.com | 2025-03-31 | 2025-08-25 |
| DOMAIN | talenthiring360.com | 2025-03-31 | 2025-08-25 |
| DOMAIN | vid-crypto-assess.com | 2025-03-31 | 2025-08-25 |
| DOMAIN | api.camtechdrivers.com | 2025-03-31 | 2025-08-25 |
| DOMAIN | vidcruitermaster.com | 2025-03-31 | 2025-08-25 |
| IPv4 | 72.5.42.93 | 2025-03-31 | 2025-08-25 |
| DOMAIN | quickinterview360.com | 2025-02-25 | 2025-08-25 |
| HASH | bfac94bfb53b4c0ac346706b0629635… | 2025-01-20 | 2025-08-25 |
| DOMAIN | api.camera-drive.org | 2025-01-20 | 2025-08-25 |
| DOMAIN | api.nvidia-release.org | 2025-01-16 | 2025-08-25 |
| DOMAIN | vidintermaster.com | 2025-03-31 | 2025-06-18 |
| YARA | apt_Lazarus_ClickFake_NodeJS_Do… | 2025-03-31 | 2025-03-31 |
| YARA | apt_Lazarus_ClickFake_GolangGho… | 2025-03-31 | 2025-03-31 |
| YARA | apt_Lazarus_ClickFake_Go_Backdo… | 2025-03-31 | 2025-03-31 |
| YARA | apt_Lazarus_ClickFake_NodeVBS_L… | 2025-03-31 | 2025-03-31 |
| YARA | apt_Lazarus_ClickFake_ZIP_with_… | 2025-03-31 | 2025-03-31 |
| YARA | apt_Lazarus_ClickFake_JavaScript | 2025-03-31 | 2025-03-31 |
| YARA | apt_Lazarus_ClickFake_Interview… | 2025-03-31 | 2025-03-31 |
| YARA | apt_Lazarus_MacOs_ClickFake_Int… | 2025-03-31 | 2025-03-31 |
| HASH | 2805e6efa8877f5707d8e6b29610894f | 2025-03-31 | 2025-03-31 |
| HASH | ce37c75d35c82f933e14b00f32c25373 | 2025-03-31 | 2025-03-31 |
| HASH | 341ba2e57a0f108be75a1515d32a008a | 2025-03-31 | 2025-03-31 |
| HASH | 69bf17d2fb810df08180f0d5b7ce4537 | 2025-03-31 | 2025-03-31 |
| HASH | d583a05680e83b5b4c7ac2d21920384b | 2025-03-31 | 2025-03-31 |
| HASH | 7978d40bd5ca56021f6c250f564e7e27 | 2025-03-31 | 2025-03-31 |
| HASH | 00b7488d87972e9812e94c69385f6839 | 2025-03-31 | 2025-03-31 |
| URL | https://api.smartdriverfix.clou… | 2025-03-31 | 2025-03-31 |
| URL | https://api.smartdriverfix.clou… | 2025-03-31 | 2025-03-31 |
| URL | https://www.archblock.com | 2025-03-31 | 2025-03-31 |
| URL | https://api.smartdriverfix.clou… | 2025-03-31 | 2025-03-31 |
| DOMAIN | videorecruitpro.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | blockchainjobassessment.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | skillprooflab.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | api.smartdriverfix.cloud | 2025-03-31 | 2025-03-31 |
| DOMAIN | zenspiretech.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | skillhiretrack.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | eskillprof.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | livehirehub.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | blockassess.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | vidcruiterinterview.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | coinbase-walet.me | 2025-03-31 | 2025-03-31 |
| DOMAIN | test-wolf.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | assessiohq.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | devchallengehq.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | quickassessio.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | ugethired360.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | competency-core.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | intervwolf.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | quickskill-review.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | toptalentassess.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | coinbase-walet.biz | 2025-03-31 | 2025-03-31 |
| DOMAIN | vidassess360.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | candidateinsightinfo.com | 2025-03-31 | 2025-03-31 |
| DOMAIN | blockchainjobhub.com | 2025-02-25 | 2025-03-31 |
| DOMAIN | talentsnaptest.com | 2025-02-25 | 2025-03-31 |
| DOMAIN | talentview360.com | 2025-02-25 | 2025-03-31 |
| DOMAIN | jobinterview360.com | 2025-02-25 | 2025-03-31 |
| DOMAIN | quickhire360.com | 2025-02-25 | 2025-03-31 |
| HASH | a803c043e12a5dac467fae092b75aa0… | 2025-01-09 | 2025-03-31 |
| HASH | e52118fc7fc9b14e5a8d9f61dfae8b1… | 2025-01-09 | 2025-03-31 |
Related Actors
Related Reports
2025-04-24 •
56% Match
Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware
Silentpush
Shares tags: ContagiousInterview, ClickFix • Published within a month
2025-04-04 •
56% Match
Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
Socket
Shares tags: ContagiousInterview, Lazarus • Published within a week
2025-03-25 •
56% Match
Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup
JPCERT
Shares tags: ContagiousInterview, Lazarus • Published within a week
2025-02-07 •
54% Match
#ContagiousInterview
#Lazarus
#ClickFix
#T1082
#T1041
#T1555
#T1056.001
#T1027
#T1204.002
#T1555.003
#T1027.002
#T1564.001
#T1016
#T1033
#T1546.008
Shares tags: ContagiousInterview, Lazarus, ClickFix
Shares tags: ContagiousInterview, Lazarus, ClickFix • Shares 1 IOC
2025-08-25 •
52% Match
#Lazarus
#GolangGhost
#T1059.003
#T1140
#T1005
#T1070.004
#T1041
#T1113
#T1071.001
#T1115
#T1083
#T1056.001
#T1204.002
#T1566.002
#T1555.003
#T1057
#T1059.005
#T1518.001
#T1566.001
#T1547.001
#T1059.001
#T1497.001
#T1219
#T1574.002
#T1562.001
#T1622
#T1027.002
#T1573.001
#T1190
#T1123
#T1132.002
#T1564.001
#T1548.002
#T1055.012
#T1027.007
#T1217
#T1106
#T1027.009
#T1036.003
#T1055.002
#T1036.007
#T1059.010
#T1136.001
#T1134.004
#T1614.001
#T1574.007
#T1098.007
#T1010
#T1071.004
#T1021.002
#T1021.006
Shares tags: Lazarus, GolangGhost • Shares 23 IOCs