Tracked as APT-Q-1 by Qi’anxin, the collective is leveraging a technique called ClickFix, turning fake job interviews into a delivery mechanism for malware. This campaign targets both Windows and macOS users explicitly, with a particular emphasis on infiltrating Windows 11 environments.
In this campaign, victims searching for new job opportunities are directed to attacker-controlled interview websites. During the staged interview process, applicants are falsely informed that their web camera is misconfigured or malfunctioning.
To remedy the fictitious issue, they are urged to install an update posing as Nvidia software. Instead of fixing a problem, the downloaded package named nvidiaRelease.zip conceals multiple malicious files.
A batch script initiates the infection chain, followed by a Visual Basic script that checks the operating system.
Systems running Windows 11 are served a disguised executable called drvUpdate.exe, while additional scripts deploy Node.js to execute main.js, the malware responsible for the BeaverTail information-stealing attack.
BeaverTail then connects to a command-and-control server and retrieves another payload, the Python-based InvisibleFerret, ensuring continued surveillance on the victim’s machine.
The Windows 11 11-specific backdoor drvUpdate.exe allows Lazarus operators to exercise full control. Its communication with the control server at 103.231.75.101:8888 enables it to harvest device details, run arbitrary commands through cmd.exe, and read or write files at the attacker’s discretion.
Meanwhile, Node.js components support the execution of main.js, which exfiltrates sensitive data and communicates with an infrastructure node at 45.159.248.110.
MacOS users are not spared; disguised downloads such as arm64-fixer and drivfixer.sh execute similar infection routines, including persistence mechanisms established through LaunchAgents.
Across platforms, persistence is achieved through registry keys or plist files, ensuring that the malware relaunches after reboots. By embedding their malware in what appears to be a harmless troubleshooting process, Lazarus avoids suspicion and bypasses proactive defenses.
The latest operation highlights Lazarus’s evolving playbook that blends credible lures with false error messages to trick victims into installing malware themselves. Unlike traditional exploits that rely on software vulnerabilities, ClickFix succeeds by exploiting human psychology.
Its focus on the global job market demonstrates the group’s shifting priorities: from espionage to financial theft and surveillance of strategic individuals.
Experts at Qi’anxin caution users against downloading drivers or fixes from unverified platforms and urge strict reliance on official vendors for updates. Regular data backups, timely system patches, and sandbox analysis of suspicious files remain essential defenses.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Fake Job Offers – Lazarus Hackers Deploy ClickFix Strategy to Target Windows 11 appeared first on Cyber Security News.
Artificial intelligence tools are now a core part of everyday workflows — from browsers that…
Today's links Blowtorching the frog: If I must have enemies, let them be impatient ones.…
Rev. Bernard LaFayette, speaking in November 2022 at American Baptist College. (Photo: John Partipilo/Tennessee Lookout)Rev.…
Spexi’s crowdsourced drone fleet has mapped over 5 million acres in 200 cities around Canada…
Most high-growth startups operate on a dangerous assumption: that operational discipline can wait until after product-market fit.…
The video production landscape is experiencing a seismic shift. What once required a full crew,…
This website uses cookies.