North Korean threat actors behind the Contagious Interview campaign have adopted the increasingly popular ClickFix social engineering tactic. This tactic is used to lure job seekers in the cryptocurrency sector into delivering a previously undocumented Go-based backdoor, known as GolangGhost, on Windows and macOS systems.

The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by French cybersecurity company Sekoia. Contagious Interview, also tracked as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, has been active since at least December 2022, although it was only publicly documented for the first time in late 2023.

According to Sekoia researchers Amaury G., Coline Chavane, and Felix Aimé, “It uses legitimate job interview websites to leverage the ClickFix tactic and install Windows and macOS backdoors.” The effort is attributed to the infamous Lazarus Group, a prolific adversary linked to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK).

A notable aspect of the campaign is that it primarily targets centralized finance entities by impersonating companies like Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit. This marks a departure from the hacking group’s attacks against decentralized finance (DeFi) entities.

Contagious Interview, like Operation Dream Job, employs fake job offers as lures to attract prospective targets and dupe them into downloading malware that can steal cryptocurrency and other sensitive data.

As part of the effort, candidates are approached via LinkedIn or X to prepare for a video call interview. They are asked to download a malware-laced videoconferencing software or open-source project that activates the infection process.

Lazarus Group’s use of the ClickFix tactic was first disclosed towards the end of 2024 by security researcher Taylor Monahan. The attack chains lead to the deployment of a family of malware called FERRET, which then delivers the Golang backdoor.

In this iteration of the campaign, victims are asked to visit a purported video interviewing service named Willo and complete a video assessment of themselves.

“The entire setup, meticulously designed to build user trust, proceeds smoothly until the user is asked to enable their camera,” Sekoia explained. “At this point, an error message appears indicating that the user needs to download a driver to fix the issue. This is where the operator employs the ClickFix technique.”

The instructions given to the victim to enable access to the camera or microphone vary depending on the operating system used. On Windows, the targets are prompted to open Command Prompt and execute a curl command to execute a Visual Basic Script (VBS) file, which then launches a batch script to run GolangGhost.

On macOS, they are asked to launch the Terminal app and run a curl command to run a shell script. The malicious shell script runs a second shell script that executes a stealer module dubbed FROSTYFERRET (aka ChromeUpdateAlert) and the backdoor.

FROSTYFERRET displays a fake window stating that the Chrome web browser needs access to the user’s camera or microphone. Afterward, it displays a prompt to enter the system password. The entered information is exfiltrated to a Dropbox location, likely indicating an attempt to access the iCloud Keychain using the stolen password.

GolangGhost is engineered to facilitate remote control and data theft through several commands that allow it to upload/download files, send host information, and steal web browser data.

Sekoia noted, “It was found that all the positions were not related to technical profiles in software development. They are mainly jobs of manager focusing on business development, asset management, product development, or decentralized finance specialists.”

“This is a significant change from previous documented campaigns attributed to DPRK-nexus threat actors and based on fake job interviews, which mainly targeted developers and software engineers.”

North Korea IT Worker Scheme Becomes Active in Europe

The development comes as the Google Threat Intelligence Group (GTIG) said it has observed a surge in the fraudulent IT worker scheme in Europe. This marks a significant expansion of their operations beyond the United States.

The IT worker activity involves North Korean nationals posing as legitimate remote workers to infiltrate companies and generate illicit revenue for Pyongyang in violation of international sanctions.

Increased awareness of the activity, coupled with U.S. Justice Department indictments, has instigated a “global expansion of IT worker operations,” Google said. The company uncovered several fabricated personas seeking employment in various organizations located in Germany and Portugal.

The IT workers have also been observed undertaking various projects in the United Kingdom related to web development, bot development, content management system (CMS) development, and blockchain technology. They often falsify their identities and claim to be from Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam.

This tactic of IT workers posing as Vietnamese, Japanese, and Singaporean nationals was also highlighted by managed intelligence firm Nisos. They noted the use of GitHub to carve new personas or recycle portfolio content from older personas to reinforce their new ones.

“IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer,” Jamie Collier, Lead Threat Intelligence Advisor for Europe at GTIG, said. “Payment for their services was facilitated through cryptocurrency, the TransferWise service, and Payoneer, highlighting the use of methods that obfuscate the origin and destination of funds.”

Besides using local facilitators to help them land jobs, the insider threat operation is witnessing what appears to be a spike in extortion attempts since October 2024. The IT workers are now said to be targeting companies that operate a Bring Your Own Device (BYOD) policy, as such devices are unlikely to have traditional security and logging tools used in enterprise environments.

“Europe needs to wake up fast. Despite being in the crosshairs of IT worker operations, too many perceive this as a US problem. North Korea’s recent shifts likely stem from US operational hurdles, showing IT workers’ agility and ability to adapt to changing circumstances,” Collier said.

“A decade of diverse cyberattacks precedes North Korea’s latest surge – from SWIFT targeting and ransomware, to cryptocurrency theft and supply chain compromise. This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations.”