Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique
Sept. 1, 2025, 10:30 a.m.
Description
Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websites. These sites prompt users to 'fix' non-existent camera issues, tricking them into downloading malware disguised as Nvidia software updates. The malware deploys a Node.js environment and executes BeaverTail, a common Lazarus tool. On Windows 11 systems, an additional backdoor (drvUpdate.exe) is installed. The attack also affects macOS users. The malware establishes persistence and connects to command and control servers for further instructions and data exfiltration.
Tags
Date
- Created: Sept. 1, 2025, 9:56 a.m.
- Published: Sept. 1, 2025, 9:56 a.m.
- Modified: Sept. 1, 2025, 10:30 a.m.
Indicators
- 979d20f83f4e992f96f6a23b5119e84959ce82f4a7d4af78b4094b87a05b6260
- 61525e782cde36d5ed807084f6427d06f2915114b8dc7b33febd3b2566115541
- 45.89.53.54
- 45.159.248.110
- 103.231.75.101
- https://driverservices.store/visiodrive/nvidiaReleasenew.zip
- https://driverservices.store/visiodrive/arm64-fixernew
- https://driverservices.store/visiodrive/nvidiaRelease.zip
- https://driverservices.store/visiodrive/arm64-fixer
- https://block-digital.online/drivers/cam_driver
- http://45.89.53.54
- http://45.159.248.110/payload/xyz2
- http://45.159.248.110/client/xyz2
- http://45.159.248.110/brow/xyz2
- http://45.159.248.110
- http://103.231.75.101:8888
- driverservices.store
- block-digital.online
Additional Informations
- Technology
- Finance