359/68 Tuesday, September 23, 2025
Security researchers have discovered that North Korean hackers (DPRK) are leveraging the ClickFix technique to trick job seekers in marketing and cryptocurrency trading roles into installing the BeaverTail and InvisibleFerret malware. The campaign, part of the Contagious Interview operation (also tracked as Gwisin Gang) under the Lazarus Group, began in December 2022. BeaverTail was initially distributed through fake npm packages and spoofed meeting applications, later evolving into compiled binaries for Windows, macOS, and Linux using tools such as pkg and PyInstaller.
The campaign specifically targets marketing professionals and crypto traders through websites that prompt victims to record self-assessment videos. Victims are then shown fake microphone errors, which lead them to execute OS-specific commands that install the latest version of BeaverTail – designed to steal data from Google Chrome and certain browser extensions. The attack also employs password-protected archives to deliver InvisibleFerret Python modules, marking the first time this technique has been used in conjunction with BeaverTail.
Researchers from GitLab and SentinelOne noted that this shift represents a strategic pivot — moving from primarily targeting software developers to less technically skilled victims such as marketers and traders. The attackers rely on ClickFix and adaptable infrastructure that can rotate quickly if disrupted. Additionally, links were found to operations by other DPRK threat groups like ScarCruft (APT37) and Kimsuky (APT43), which have adopted more advanced tactics including Rust-based malware, espionage tools, and even AI-generated fake military IDs to infiltrate South Korean security agencies. These developments underscore North Korea’s increasingly sophisticated and diverse cyberwarfare strategies.
Source https://thehackernews.com/2025/09/dprk-hackers-use-clickfix-to-deliver.html
