ClickFake Interview Campaign by Lazarus Targets Crypto Job Seekers

A new cyber campaign using fake job interviews to target cryptocurrency professionals has been uncovered by security researchers.

The operation, dubbed “ClickFake Interview,” was attributed to the North Korean Lazarus Group and involves social engineering tactics to distribute malicious software.

According to a report published by Sekoia today, the attack chain begins with fraudulent job postings on platforms like LinkedIn or X (formerly Twitter).

Threat actors posing as recruiters contact professionals in the cryptocurrency sector, inviting them to interviews. During the process, victims are tricked into opening malicious documents or clicking on compromised links, ultimately leading to malware infection.

The malware, identified as “ClickFix,” enables remote access to the victim’s system, allowing Lazarus to steal sensitive data, including cryptocurrency wallet credentials. The campaign is a continuation of the Group’s long-running strategy of targeting financial institutions and cryptocurrency entities to fund the North Korean regime.

Read more on how cybercriminals exploit social engineering tactics: 92% of Organizations Hit by Credential Compromise from Social Engineering Attacks

Sekoia highlighted that Lazarus has adapted its techniques over time, incorporating sophisticated deception strategies.

In this campaign, the group used genuine-looking documents and engaged in full-fledged interview conversations mimicking legitimate hiring processes to enhance credibility.

Once the malicious tool is installed, attackers can execute arbitrary commands, exfiltrate data and maintain persistent access to compromised systems.

Protecting Against ClickFake Attacks

Indicators of compromise (IOCs) linked to ClickFake include specific domains, hashes and malware signatures.

“A particular element of ClickFake Interview is that fake job offers are designed to attract profiles different from software developers and engineers,” Sekoia warned.

“This may reflect a new Lazarus strategy targeting cryptocurrency industry employees with limited technical expertise, making them less likely to detect the malicious curl command during the interview.”

Lazarus Group has been associated with several high-profile cyber heists, including the $620m Ronin Network breach.

Sekoia emphasized the importance of awareness, advanced threat detection and multi-layered security measures to mitigate risks.

To avoid falling victim to such scams, professionals should verify recruiter identities through official company websites, avoid downloading files or clicking links from unknown sources and use endpoint protection solutions to detect malicious activity.