ClickFake Interview

ClickFake Interview is a DPRK-linked social-engineering campaign referenced as involving fake job advertisements that trick applicants into copying and running malicious commands on a fake website. The provided content also notes overlap in “audio issue” lures with other North Korea-aligned activity, including BlueNoroff operations. In the cited reporting, BlueNoroff—a Lazarus Group sub-cluster also tracked as Alluring Pisces, APT38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima, and TA444—targeted a Web3/cryptocurrency foundation employee via Telegram outreach, a Calendly link redirecting to a fake Zoom domain, and a group call featuring deepfaked executives. The victim was persuaded to install a malicious “Zoom extension” that delivered an AppleScript (“zoom_sdk_support.scpt”), which opened a legitimate Zoom SDK page while covertly downloading and executing additional payloads. Follow-on activity included disabling bash history, checking for and installing Rosetta 2, downloading additional binaries including /tmp/icloud_helper, prompting for the user’s system password, and clearing command history. Huntress identified eight malicious binaries on the host, including a Nim-based launcher (“Telegram 2”), the Go backdoor “Root Troy V4,” the C++ loader “InjectWithDyld,” the Objective-C keylogger/screen monitor “XScreen,” the Go-based crypto-focused infostealer “CryptoBot,” and “NetChk.” The content directly describes BlueNoroff as a Lazarus Group sub-cluster focused on financial and cryptocurrency theft for DPRK revenue generation, and associates it with TraderTraitor cryptocurrency heists.