Lazarus APT: Techniques for Hunting Contagious Interview

Lazarus APT uses ClickFix social engineering to trick job seekers into executing malicious code, and Validin helps find related infrastructure and mitigate the threat.

Lazarus APT, a North Korean group, is using the ClickFix social engineering technique to trick job seekers into copying and pasting malicious code onto their devices during fake video job interviews ("Contagious Interview"). This blog post shows how to expand and pivot from threat intelligence using Validin to detect likely-related infrastructure and mitigate this threat.

Background

On December 28, 2024, a tweet by researcher @tayvano_ alerted the infosec community to a campaign using a talent recruitment theme to spread malware via ClickFix social engineering. The campaign was attributed to Lazarus APT due to similarities with Contagious Interview and domain registration patterns. This post describes how the initial alert led to a hunt for Lazarus APT ClickFix techniques using Validin to pivot from the initial indicators to identify more domains registered for the campaign.

Lazarus APT and their Latest Campaign

The Lazarus Group is a North Korean umbrella of multiple threat actor groups (i.e. Bluenoroff, Andariel, Kimsuky). Lazarus has been active since at least 2009 and is associated with the North Korean government’s Reconnaissance General Bureau. They support the North Korean government through a combination of espionage, financial gain, and geopolitical disruption. Their financially motivated attacks usually target financial institutions, cryptocurrency firms, gambling platforms, and FinTech companies. Stolen funds from the APT’s operations are used to fund North Korea’s nuclear weapons and long-range missiles programs.

The Contagious Interview Campaign

One of the latest tracked campaigns of Lazarus, is the Contagious Interview, which started as early as December 2022 as described by PAN Unit 42, and it is about North Korean actors contacting software developers through job search platforms. They pose as a prospective employer, inviting them to participate in an online interview in which the actors attempt to convince the victims to download and install backdoor malware (BeaverTail, InvisibleFerret, CivetQ, etc).

The ClickFix Social Engineering Technique

One of the most hyped social engineering techniques in the last quarter of 2024, ultimately abused first by Lumma Stealer operators, was ClickFix. The ClickFix technique uses dialogue boxes containing fake error or reCAPTCHA messages to trick people into copying, pasting, and running malicious content on their own computer.

Lazarus APT’s Latest Campaign Encompassing ClickFix as part of Contagious Interview

The Lazarus group appears to have updated its social engineering tactics by incorporating ClickFix into its Contagious Interview campaign. This campaign targets job seekers with attractive pay ranges, often on platforms like LinkedIn, Telegram, and Discord. As reported first by the researcher @tayvano_, the initial contact often comes from a fake recruiter representing well-known companies, such as Kraken, MEXC, Gemini, and Meta, promoting attractive pay ranges on LinkedIn, Telegram, Discord, and other job posting sites. This approach entices victims to run malware on their devices.

After exchanging some information, the threat actor eventually drops a link to a fake Willo website (Video Interviewing Screening Software) to continue the hiring process by answering some questions as part of the candidate’s evaluation. Next, a long form of questions is presented to the candidate asking things relevant to the role.

The last step is to record a video answer to the last question. By clicking the Request Camera Access button, a pop-up is displayed that guides the victim on how to enable access (the ClickFix technique) by attaching malicious code to be copied that installs malware on their device (payloads vary for Mac, Windows, and Linux devices).

Infrastructure Hunting

The objective in this report is to identify further Lazarus infrastructure that is used to deliver its payloads to potential victims. Let’s create a project on Validin to collect our findings through the hunting process:

We’ll populate it with our known indicators to be used as starting pivot points:

Now let’s inspect the willointerview[.]com domain by clicking on it to see what we can extract from it to help us identify more domains serving ClickFix with this theme.

From this screen (Reputation Tab), several information can be observed about this domain. For example, the Reputation Score and Factors (which flag this as associated with APT Lazarus), DNS records, FQDN, ETLD, Registration, etc. In each tab there is more detailed information. An important thing to notice is that each key/value field is a potential pivot point.

• OSINT: The OSINT sources/lists where the indicator was referenced.

• Resolutions: Domain resolutions associated with the domain indicator. i.e. NS (Name Server), A (IPv4) resolutions. Here we can observe the IPv4 resolution which is 23.254.244[.]74. Notice the information on the side panel that also includes information on the estimated pivot count (a really useful feature to determine if this attribute is commonly observed).

• Subdomains: The subdomains for the domain indicator.

• DNS Records: The DNS records for the associated domain indicator. Shows information like if the domain has MX (Mail eXchange), or other records like SPF that can be seen from the next figure (also a potential pivot point).

• Host Connections: Information regarding relationships between the investigated indicators. I.e. the following is the connection between Domain and IPv4.

• Host Responses: Information regarding HTTP Response Data.

• CT Stream: Certificate Transparency information such as certificate fingerprints, common names and timestamps.

Continuing with the hunt, by selecting the Resolutions tab and clicking on the IPv4 23.254.244[.]74, we pivot to the IP hosting the domain.

As we can see, this IP belongs to AS 54290 Hostwinds. Use of the Hostwinds ASN dedicated servers is a common tactic in Lazarus campaigns. Let’s select Host Connections to see if there are any interesting and unique fingerprints.

1st Method of Identifying Further Infrastructure: HTML Feature Pivoting

By scrolling a bit down, we can see a really unique type of host-meta header, present in the legitimate website for Willo.

By clicking on it to pivot and selecting the Host Connections tab, we observe additional domains with similar naming conventions and IPv4 addresses that share this exact host-meta header (136 total). This great pivot was first identified and reported by @500mk500.

From there we can further filter the returned values to see only the domains.

As we can see, there are similar domain registration patterns (already flagged as Lazarus related) containing also other keywords, such as crypto, assess, willo, blockchain, interview, talent, hiring, etc. Also, there are domains hosted on the Cloudfront CDN.

It is really important to notice here as a general principle that some pivots may contain false positives (i.e. in these results there are also legitimate domains of Willo that need to be filtered out from your project). Those are potentially related indicators and further verification is needed to be considered an Indicator of Compromise. For example, this post from the researcher @banthisguy9349 suggests querying for this path on a suspected domain to confirm abuse: /video-questions/create/531fbaedf67046d6904478f15d3e7142

For example, for the following domain: www.vid.willoassess[.]com* *the following page was displayed by combining it with the aforementioned URI that confirmed it was part of the campaign:

Next, we can manually select the domains of interest (excluding false positives as mentioned), and add them to our project.

Another really useful feature is the Timeline View, where we can observe the First & Last Seen timestamps of the domains containing this meta-host value. The following figure depicts the difference between Willo’s legitimate domain and the malicious domains. It can also be observed that the malicious domains generated activity beginning no later than mid-December 2024.

Next, we can return to the Table View and filter again for META-IP, to observe other hosting patterns.

Additional Autonomous Systems are represented, such as AS 30860, AS 27956, AS 16509, AS47583, and AS 54290. Those can provide insights into hosting preferences for Lazarus, or possibly different threat actor clusters. We can view these statistics by clicking on Show Summary:

2nd Method of Identifying Further Infrastructure: Bulk Search

Now that we have seen other IPv4 addresses hosting such malicious domains, we would like to search those IPv4 addresses to see if they host other domains with similar naming conventions that bypassed the security community’s radars. We will manually select the IPv4 addresses of interest (excluding Amazon ASN and ASNs with high estimated pivots for resource efficiency), and add them to Bulk Search.

Now we will set the settings for the Bulk Search. We want to see only A records associations (IPv4 to DNS), and since we know the timeline of the activity pretty much, we will only consider timestamps of December.

In the results View we can see other domains associated with Lazarus (based on reputation) and some that also have the same naming convention that could indicate potential association. Of course, verification is necessary. We conclude with adding to our project the new findings from this search.

3rd Method of Identifying Further Infrastructure: Lookalike Domain Search

Another useful feature is the Lookalike Domain Search. From there we can use search terms, domain names or regex patterns to identify further domains of interest. From the previous batches of indicators collected with the previous two methods, we know some of the most common keywords Lazarus uses to register their domains for this campaign. Thus, we can combine them with multiple ways to further identify domains. Let’s take for example the following regex:

/(assess|willo|wilo|talent|hiring|interview|blockchain|crypto|recruit|candidate|video)\-?(assess|willo|wilo|talent|hiring|interview|blockchain|crypto|recruit|candidate|video)\.(com|us|org|pro)/

Explanation of the regex: Some of the most relevant keywords regarding Willo, hiring and blockchain topics appended with or without dash, with the same pairs of keywords ending in a .com, .us, .org, .pro TLD (as commonly observed) - a good starting point.

Also, we refine the loopback to search only 40 days back since we know the campaign started in December 2024, and select the FQDNs option to search for any depth.

• /(willo|wilo|hiring|blockchain|crypto)\-?(assess|talent|hiring|interview)\.(com|us|org|pro)/ (better combined keywords)
• /app\.(willo|wilo|hiring|blockchain|crypto)\-?(assess|talent|hiring|interview)\.[a-z]+/(app subdomain + combined keywords + TLD agnostic)
• /(willo|wilo|hiring|blockchain|crypto)\-?(video|candidate|talent|interview)\.[a-z]+/ (willo & blochain hiring themes + TLD agnostic)
• /(video|candidate|talent|interview)\-?(willo|wilo|hiring|blockchain|crypto)\.[a-z]+/ (reversed order willo & blochain hiring themes + TLD agnostic)

We conclude by adding our newly identified indicators to our project.

Conclusion

Lazarus is a sophisticated group of threat actors, constantly refining their TTPs to achieve their objectives and support their country’s agenda. It is up to us, security researchers to identify their behaviours and patterns and detect their infrastructure before it gets weaponized. In this blog we analyzed the new Lazarus campaign as part of Contagious Interview, utilizing the ClickFix social engineering technique. Through Validin’s Search, Bulk Search and Lookalike Domain Search, we identified Lazarus’ domain registration and hosting patterns. We shared further Indicators of Compromise along with the methodology on how to hunt malicious infrastructure.

Ready to level up your threat hunting, threat attribution, and incident response efforts? Validin’s premium individual and enterprise solutions offer powerful tools, affordable pricing, and unparalleled insights to help your team work smarter and faster.

Contact us today to explore enterprise options and see how Validin can empower your threat intelligence team.

Connect with the author: Follow Efstratios on X.

Indicators

web[.]videoscreening[.]org
videoscreening[.]org
app[.]videoscreening[.]org
www[.]intervu-talent[.]pro
www[.]talentassesspro[.]com
www[.]app[.]videoforrecruitment[.]com
videoforrecruitment[.]com
app[.]videoforrecruitment[.]com
blockchain-assess[.]com
www[.]app[.]willotalents[.]org
willotalents[.]org
app[.]willotalents[.]org
app[.]willocandidate[.]com
webmail[.]complexassess[.]com
webdisk[.]complexassess[.]com
cpcontacts[.]complexassess[.]com
cpcalendars[.]complexassess[.]com
cpanel[.]complexassess[.]com
complexassess[.]com
autodiscover[.]complexassess[.]com
robinhood[.]vinterview[.]org
www[.]app[.]vinterview[.]org
app[.]vinterview[.]org
app[.]willotalentes[.]com
www[.]api[.]wtalents[.]us
api[.]wtalents[.]us
cpanel[.]wtalents[.]us
willoassessment[.]com
www[.]gemini-willoassessment[.]com[.]willoassessment[.]com
gemini-willoassessment[.]com[.]willoassessment[.]com
hiring[.]willoassessment[.]com
www[.]consensys[.]willoassessment[.]com
geminiskill[.]willoassessment[.]com
www[.]hiring[.]willoassessment[.]com
api[.]willoassessment[.]com
gemini[.]willoassessment[.]com
consensys[.]willoassessment[.]com
www[.]gemini[.]willoassessment[.]com
www[.]app[.]willotalent[.]xyz
app[.]willotalent[.]xyz
www[.]api[.]nvidia-release[.]us
api[.]nvidia-release[.]us
www[.]willorecruit[.]com
cpcontacts[.]willorecruit[.]com
cpcalendars[.]willorecruit[.]com
www[.]app[.]willorecruit[.]com
app[.]willorecruit[.]com
webmail[.]willorecruit[.]com
mail[.]willorecruit[.]com
cpanel[.]willorecruit[.]com
webdisk[.]willorecruit[.]com
willorecruit[.]com
www[.]willotalentes[.]com
www[.]app[.]willotalentes[.]com
willotalentes[.]com
willocandidates[.]com
www[.]fundcandidates[.]com
app[.]willohiring[.]com
www[.]willocandidate[.]com
www[.]app[.]willocandidate[.]com
willocandidate[.]com
www[.]api[.]nvidia-release[.]org
www[.]willotalent[.]us
www[.]app[.]willotalent[.]us
app[.]willotalent[.]us
willotalent[.]us
www[.]willotalent[.]pro
www[.]app[.]willotalent[.]pro
app[.]willotalent[.]pro
willotalent[.]pro
www[.]willointerview[.]com
www[.]willoassess[.]com
www[.]talent[.]willoassess[.]com
www[.]tal[.]willoassess[.]com
www[.]gemini[.]willoassess[.]com
gemini[.]willoassess[.]com
willoassess[.]com
www[.]willohiring[.]com
www[.]app[.]willohiring[.]com
www[.]gemini[.]willohiring[.]com
gemini[.]willohiring[.]com
www[.]meta[.]willohiring[.]com
meta[.]willohiring[.]com
willohiring[.]com
www[.]willohiringtalent[.]org
www[.]app[.]willohiringtalent[.]org
app[.]willohiringtalent[.]org
www[.]gemini[.]willohiringtalent[.]org
gemini[.]willohiringtalent[.]org
willohiringtalent[.]org
www[.]willoassess[.]org
www[.]willo-interview[.]us
www[.]talent[.]willo-interview[.]us
talent[.]willo-interview[.]us
www[.]app[.]willo-interview[.]us
app[.]willo-interview[.]us
willo-interview[.]us
www[.]intro-crypto-assess[.]com
cpcontacts[.]intro-crypto-assess[.]com
cpcalendars[.]intro-crypto-assess[.]com
webmail[.]intro-crypto-assess[.]com
mail[.]intro-crypto-assess[.]com
cpanel[.]intro-crypto-assess[.]com
webdisk[.]intro-crypto-assess[.]com
intro-crypto-assess[.]com
www[.]blockchain-assess[.]com
d20zx0lguyxj2p[.]cloudfront[.]net
d1yzmjg018adwf[.]cloudfront[.]net
d12rlkj8v5mwse[.]cloudfront[.]net
d3o9p0hkd7eul5[.]cloudfront[.]net
wilio-talent[.]net
willoassess[.]net
www[.]wtalents[.]us
www[.]app[.]wtalents[.]us
app[.]wtalents[.]us
mail[.]wtalents[.]us
wtalents[.]us
www[.]willomexcvip[.]us
www[.]app[.]willomexcvip[.]us
app[.]willomexcvip[.]us
mail[.]willomexcvip[.]us
www[.]werhiring[.]willomexcvip[.]us
werhiring[.]willomexcvip[.]us
willomexcvip[.]us
www[.]hiringtalent[.]pro
app[.]hiringtalent[.]pro
final[.]hiringtalent[.]pro
hiringtalent[.]pro
intervu-talent[.]pro
www[.]talentcompetency[.]com
talentcompetency[.]com
www[.]app[.]willoassessment[.]com
app[.]willoassessment[.]com
www[.]geminiskill[.]willoassessment[.]com
www[.]api[.]willoassessment[.]com
www[.]wilo-talent[.]com
app[.]wilo-talent[.]com
wilo-talent[.]com
www[.]complexassess[.]com
mail[.]complexassess[.]com
www[.]app[.]willoassess[.]com
app[.]willoassess[.]com
www[.]vid[.]willoassess[.]com
vid[.]willoassess[.]com
www[.]robinhood[.]intro-crypto-assess[.]com
www[.]vid[.]intro-crypto-assess[.]com
vid[.]intro-crypto-assess[.]com
www[.]app[.]blockchain-assess[.]com
app[.]blockchain-assess[.]com
www[.]vid[.]blockchain-assess[.]com
vid[.]blockchain-assess[.]com
fundcandidates[.]com
www[.]app[.]blockchain-checkup[.]com
app[.]blockchain-checkup[.]com
talentassesspro[.]com
www[.]willo-video[.]com
willo-video[.]com
www[.]robinhood[.]vinterview[.]org
vinterview[.]org
www[.]hiringinterview[.]org
www[.]app[.]hiringinterview[.]org
app[.]hiringinterview[.]org
hiringinterview[.]org
www[.]interviewnest[.]org
www[.]app[.]interviewnest[.]org
app[.]interviewnest[.]org
interviewnest[.]org
willoassess[.]org
www[.]app[.]videoscreening[.]org
www[.]web[.]videoscreening[.]org
willovideorec[.]com
willointerview[.]com
api[.]nvidia-release[.]org