Lazarus APT: Techniques for Hunting Contagious Interview

2025-01-16 Validin

https://www.validin.com/blog/inoculating_contagious_interview_with_validin/

Thumbnail for Lazarus APT: Techniques for Hunting Contagious Interview

Lazarus is described using ClickFix social engineering inside the Contagious Interview campaign to target job seekers, especially software developers, through fake recruiter workflows on platforms such as LinkedIn, Telegram, and Discord. Victims are led to fake video-interview sites where a camera-access prompt instructs them to copy and run malicious commands, with payloads varying across macOS, Windows, and Linux and linked to malware families such as BeaverTail, InvisibleFerret, and CivetQ. The hunting workflow pivots from willointerview[.]com and 23.254.244[.]74 to related domains using Validin data such as DNS resolutions, Hostwinds hosting, shared host-meta response features, certificate transparency, lookalike domains, and naming patterns around crypto, hiring, talent, interview, and blockchain themes. The source stresses that pivots can include legitimate Willo infrastructure and must be verified, for example by checking campaign-specific paths, before treating related domains as indicators.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN api.nvidia-release.org 2025-01-16 2025-08-25
DOMAIN talentcompetency.com 2025-01-16 2025-02-25
DOMAIN wilio-talent.net 2025-01-09 2025-02-25
DOMAIN willoassessment.com 2025-01-09 2025-02-25
DOMAIN hiringinterview.org 2025-01-09 2025-02-25
DOMAIN willorecruit.com 2025-01-09 2025-02-25
DOMAIN app.blockchain-checkup.com 2025-01-16 2025-02-13
DOMAIN app.willorecruit.com 2025-01-16 2025-02-13
DOMAIN app.willotalentes.com 2025-01-16 2025-02-13
DOMAIN app.willohiringtalent.org 2025-01-16 2025-02-13
DOMAIN app.willotalents.org 2025-01-16 2025-02-13
DOMAIN willotalentes.com 2025-01-09 2025-02-13
DOMAIN willotalents.org 2025-01-09 2025-02-13
DOMAIN willohiringtalent.org 2025-01-09 2025-02-13
DOMAIN videoscreening.org 2025-01-09 2025-02-13
DOMAIN willoassess.net 2025-01-09 2025-02-13
DOMAIN willoassess.org 2025-01-09 2025-02-13
DOMAIN blockchain-assess.com 2025-01-09 2025-02-13
DOMAIN fundcandidates.com 2025-01-09 2025-02-13
DOMAIN willocandidate.com 2025-01-09 2025-02-13
DOMAIN willointerview.com 2025-01-09 2025-02-13
DOMAIN interviewnest.org 2025-01-09 2025-02-13
DOMAIN web.videoscreening.org 2025-01-09 2025-02-13
DOMAIN willoassess.com 2025-01-09 2025-02-13
HASH 531fbaedf67046d6904478f15d3e7142 2025-01-16 2025-01-16
DOMAIN app.willotalent.xyz 2025-01-16 2025-01-16
DOMAIN app.blockchain-assess.com 2025-01-16 2025-01-16
DOMAIN webdisk.complexassess.com 2025-01-16 2025-01-16
DOMAIN gemini-willoassessment.com.will… 2025-01-16 2025-01-16
DOMAIN mail.willorecruit.com 2025-01-16 2025-01-16
DOMAIN webmail.intro-crypto-assess.com 2025-01-16 2025-01-16
DOMAIN meta.willohiring.com 2025-01-16 2025-01-16
DOMAIN willo-video.com 2025-01-16 2025-01-16
DOMAIN vid.blockchain-assess.com 2025-01-16 2025-01-16
DOMAIN app.videoforrecruitment.com 2025-01-16 2025-01-16
DOMAIN app.hiringinterview.org 2025-01-16 2025-01-16
DOMAIN app.vinterview.org 2025-01-16 2025-01-16
DOMAIN api.willoassessment.com 2025-01-16 2025-01-16
DOMAIN hiring.willoassessment.com 2025-01-16 2025-01-16
DOMAIN willocandidates.com 2025-01-16 2025-01-16
DOMAIN cpanel.willorecruit.com 2025-01-16 2025-01-16
DOMAIN cpanel.intro-crypto-assess.com 2025-01-16 2025-01-16
DOMAIN vinterview.org 2025-01-16 2025-01-16
DOMAIN cpcalendars.complexassess.com 2025-01-16 2025-01-16
DOMAIN videoforrecruitment.com 2025-01-16 2025-01-16
DOMAIN cpcontacts.complexassess.com 2025-01-16 2025-01-16
DOMAIN robinhood.vinterview.org 2025-01-16 2025-01-16
DOMAIN app.wilo-talent.com 2025-01-16 2025-01-16
DOMAIN app.videoscreening.org 2025-01-16 2025-01-16
DOMAIN wilo-talent.com 2025-01-16 2025-01-16
DOMAIN webdisk.intro-crypto-assess.com 2025-01-16 2025-01-16
DOMAIN consensys.willoassessment.com 2025-01-16 2025-01-16
DOMAIN app.willoassess.com 2025-01-16 2025-01-16
DOMAIN gemini.willoassess.com 2025-01-16 2025-01-16
DOMAIN geminiskill.willoassessment.com 2025-01-16 2025-01-16
DOMAIN vid.intro-crypto-assess.com 2025-01-16 2025-01-16
DOMAIN mail.intro-crypto-assess.com 2025-01-16 2025-01-16
DOMAIN d1yzmjg018adwf.cloudfront.net 2025-01-16 2025-01-16
DOMAIN cpanel.complexassess.com 2025-01-16 2025-01-16
DOMAIN vid.willoassess.com 2025-01-16 2025-01-16
DOMAIN webdisk.willorecruit.com 2025-01-16 2025-01-16
DOMAIN gemini.willoassessment.com 2025-01-16 2025-01-16
DOMAIN app.willocandidate.com 2025-01-16 2025-01-16
DOMAIN mail.complexassess.com 2025-01-16 2025-01-16
DOMAIN cpcontacts.intro-crypto-assess.… 2025-01-16 2025-01-16
DOMAIN d20zx0lguyxj2p.cloudfront.net 2025-01-16 2025-01-16
DOMAIN webmail.willorecruit.com 2025-01-16 2025-01-16
DOMAIN cpcalendars.intro-crypto-assess… 2025-01-16 2025-01-16
DOMAIN d3o9p0hkd7eul5.cloudfront.net 2025-01-16 2025-01-16
DOMAIN app.willohiring.com 2025-01-16 2025-01-16
DOMAIN gemini.willohiring.com 2025-01-16 2025-01-16
DOMAIN willovideorec.com 2025-01-16 2025-01-16
DOMAIN d12rlkj8v5mwse.cloudfront.net 2025-01-16 2025-01-16
DOMAIN cpcalendars.willorecruit.com 2025-01-16 2025-01-16
DOMAIN app.interviewnest.org 2025-01-16 2025-01-16
DOMAIN app.willoassessment.com 2025-01-16 2025-01-16
DOMAIN webmail.complexassess.com 2025-01-16 2025-01-16
DOMAIN gemini.willohiringtalent.org 2025-01-16 2025-01-16
DOMAIN complexassess.com 2025-01-16 2025-01-16
DOMAIN cpcontacts.willorecruit.com 2025-01-16 2025-01-16
DOMAIN intro-crypto-assess.com 2025-01-16 2025-01-16
DOMAIN talentassesspro.com 2025-01-16 2025-01-16
DOMAIN autodiscover.complexassess.com 2025-01-16 2025-01-16
IPv4 23.254.244.74 2025-01-16 2025-01-16
DOMAIN willohiring.com 2025-01-09 2025-01-16

Related Actors

Related Reports

« Back