← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique
WHITE Lazarus AlienVault 2025-09-01 Modified: 2025-10-01
33
IOCs
MEDIUM VOLUME
Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websites. These sites prompt users to 'fix' non-existent camera issues, tricking them into downloading malware disguised as Nvidia software updates. The malware deploys a Node.js environment and executes BeaverTail, a common Lazarus tool. On Windows 11 systems, an additional backdoor (drvUpdate.exe) is installed. The attack also affects macOS users. The malware establishes persistence and connects to command and control servers for further instructions and data exfiltration.
clickfixnode.jsbeavertailinvisibleferretmacosapt-q-1social engineeringwindowsphishing
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
BeaverTail InvisibleFerret
Indicators of Compromise (33)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 13400d5c844b7ab9aacc81822b1e7f02 2025-09-01
FileHash-MD5 15e48aef2e26f2367e5002e6c3148e1f 2025-09-01
FileHash-MD5 17eb90ac00007154a6418a91bf8da9c7 2025-09-01
FileHash-MD5 3ef7717c8bcb26396fc50ed92e812d13 2025-09-01
FileHash-MD5 5e698d6f14e10616b0dbb1496e574a91 2025-09-01
FileHash-MD5 6175efd148a89ca61b6835c77acc7a8d 2025-09-01
FileHash-MD5 8c274285c5f8914cdbb090d72d1720d3 2025-09-01
FileHash-MD5 983a8a6f4d0a8c887536f5787a6b01a2 2025-09-01
FileHash-MD5 a009cd35850929199ef60e71bce86830 2025-09-01
FileHash-MD5 a4e58b91531d199f268c5ea02c7bf456 2025-09-01
FileHash-MD5 b52e105bd040bda6639e958f7d9e3090 2025-09-01
FileHash-MD5 b73fd8f21a2ed093f8caf0cf4b41aa4d 2025-09-01
FileHash-MD5 cbd183f5e5ed7d295d83e29b62b15431 2025-09-01
FileHash-MD5 cdf296d7404bd6193514284f021bfa54 2025-09-01
FileHash-MD5 d9fb02481d1df9f93b7d8e84dc7e097f 2025-09-01
FileHash-MD5 f9e18687a38e968811b93351e9fca089 2025-09-01
FileHash-SHA1 10c967386460027e7492b6138502ab61ca828e37 2025-09-01
FileHash-SHA1 792afe735d6d356fd30d2e7d0a693e3906decca7 2025-09-01
FileHash-SHA256 61525e782cde36d5ed807084f6427d06f2915114b8dc7b33febd3b2566115541 2025-09-01
FileHash-SHA256 979d20f83f4e992f96f6a23b5119e84959ce82f4a7d4af78b4094b87a05b6260 2025-09-01
URL http://103.231.75.101:8888 2025-09-01
URL http://45.159.248.110 2025-09-01
URL http://45.159.248.110/brow/xyz2 2025-09-01
URL http://45.159.248.110/client/xyz2 2025-09-01
URL http://45.159.248.110/payload/xyz2 2025-09-01
URL http://45.89.53.54 2025-09-01
URL https://block-digital.online/drivers/cam_driver 2025-09-01
URL https://driverservices.store/visiodrive/arm64-fixer 2025-09-01
URL https://driverservices.store/visiodrive/arm64-fixernew 2025-09-01
URL https://driverservices.store/visiodrive/nvidiaRelease.zip 2025-09-01
URL https://driverservices.store/visiodrive/nvidiaReleasenew.zip 2025-09-01
domain block-digital.online 2025-09-01
domain driverservices.store 2025-09-01
References (1)
↗ https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247515797&idx=1&sn=63eb2627f65397d704d187273c6cdce4&chksm=ea6649e2dd11c0f497ca57cf52676a9a764f28e587017e14fc850034ca8518c9f4ef46219824