Summary: North Korean threat actors, notably the Lazarus Group, have employed a new social engineering tactic called ClickFix to lure job seekers within the cryptocurrency sector, delivering a Go-based backdoor named GolangGhost on Windows and macOS. In parallel, a surge in fraudulent IT worker schemes has been detected in Europe, with North Korean nationals posing as legitimate remote workers to generate illicit revenue while circumventing international sanctions. This marks a notable shift from previous attack patterns, focusing more on centralized finance entities and non-technical job roles than in past campaigns targeting developers.
Affected: Cryptocurrency companies and IT organizations in Europe
Keypoints :
- North Korean attackers are using legitimate job interview websites to deploy malware targeting job seekers in the cryptocurrency sector.
- The ClickFix tactic involves enticing victims to download a malware-laden video conferencing software under the guise of a job interview.
- Fraudulent IT worker schemes have expanded in Europe, with North Korean nationals assuming false identities and providing various IT services while avoiding detection.
- Victims of these schemes are often manipulated into ransom payments to safeguard proprietary data.
- The scheme indicates a strategic evolution, focusing on companies with Bring Your Own Device (BYOD) policies to exploit less secure environments.
Source: https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html