Lazarus Group Targets Crypto Job Seekers with GolangGhost Malware via ClickFix Tactic

By /

Listen to this Post

The Lazarus Group, a notorious North Korean state-sponsored hacking group, has launched a new campaign targeting job seekers in the cryptocurrency sector. Using a tactic dubbed “ClickFix,” they distribute the GolangGhost malware on both Windows and macOS systems. This attack leverages fraudulent IT job offers to lure victims, particularly in Europe, where such schemes are increasing.

You Should Know:

1. How the Attack Works

  • Attackers pose as recruiters offering fake crypto-related job opportunities.
  • Victims receive malicious documents or links (ClickFix) that deploy GolangGhost malware.
  • The malware enables remote access, data theft, and further exploitation.

2. Detection & Mitigation

For Windows:

  • Use Windows Defender or third-party AV to scan for suspicious files: 
    Get-MpThreatDetection | Where-Object { $_.InitialDetectionTime -gt (Get-Date).AddDays(-7) }
  • Check running processes for Golang-based malware: 
    tasklist /svc | findstr /i "go"

For macOS:

  • Verify downloaded applications with Gatekeeper: 
    spctl --assess -v /Applications/SuspiciousApp.app
  • Monitor network connections: 
    lsof -i | grep -E "(go|unknown)"

3. Defensive Measures

  • Verify job offers by checking company websites and official channels.
  • Use sandboxing to test suspicious files: 
    docker run --rm -it ubuntu bash  Isolated testing
  • Block IOCs (Indicators of Compromise) in firewalls: 
    sudo iptables -A INPUT -s [Malicious_IP] -j DROP

4. Additional Security Checks

  • Windows Event Log Analysis: 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Message -like "go.exe"}
  • macOS Launch Agents/Daemons Check: 
    ls -la /Library/LaunchAgents /Library/LaunchDaemons ~/Library/LaunchAgents

What Undercode Say

The Lazarus Group continues to evolve, now exploiting job seekers in the crypto space. Their GolangGhost malware demonstrates the growing sophistication of North Korean cyber operations. Defenders must:
– Monitor Golang-based processes (uncommon in typical systems).
– Enforce strict email filtering to block phishing attempts.
– Educate employees on verifying job offers before engaging.

Expected Output:

- Windows: Suspicious Golang process detected. 
- macOS: Unauthorized network connection from Go binary. 
- Firewall logs: Blocked malicious IPs linked to Lazarus Group.

Reference: Cybersecurity News

References:

Reported By: Hendryadrian Northkorea – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: