Job Offers Turned Attack Vectors: Inside Lazarus' “ClickFake” Campaign

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

KNOW WHO IS TARGETING YOU: GET YOUR FREE THREAT INTELLIGENCE REPORT

Top Threat Actors Observed in the Wild: March 2025

Here are the most active threat actors that have been observed in March in the wild.

Lazarus APT – “ClickFake Interview” Crypto-Heist Campaign

• Victim Location: Global (including North America and Europe)

• Sectors: Cryptocurrency/Financial (CeFi exchanges, job recruitment)

• Threat Actor: Lazarus Group (North Korea state-sponsored APT)

• Actor Motivations: Financial theft to fund DPRK regime (crypto theft), espionage

• Malware: “ClickFix” social engineering technique; GolangGhost backdoor

North Korea’s Lazarus group resurfaced with a new twist on its job recruitment lures. In late March, security researchers reported a “ClickFake Interview” campaign by Lazarus using fake job offers to target cryptocurrency organizations [1]. The attackers employed the emerging “ClickFix” technique – tricking job seekers into clicking rogue links that trigger malware – to deploy a custom GolangGhost backdoor​. 

Lazarus has a track record of stealing cryptocurrency (notably a $1.5 billion crypto heist) to fund North Korea’s regime. In this March campaign, their social engineering was sophisticated: victims believed they were in real job processes, only to have Lazarus steal credentials and siphon crypto funds. The U.S. and European crypto sector remained on high alert as Lazarus continued blending espionage with profit-driven motives in its global operations​.

MirrorFace (APT10 Subgroup) – Chinese APT Breaches European Institute

• Victim Location: Central Europe

• Sectors: Government, Diplomatic (international policy institute)

• Threat Actor: MirrorFace (aka Earth Kasha, subgroup of China-linked APT10)

• Actor Motivations: Espionage (nation-state intelligence)

• Malware: Anel backdoor (a signature APT10 implant), customized AsyncRAT

A Chinese state-aligned threat actor dubbed MirrorFace carried out its first known attack in Europe. In March, security researchers reported that MirrorFace targeted a Central European diplomatic institute ahead of the Expo 2025 event [2]. The group sent carefully crafted spear-phishing emails with malicious attachments, deploying APT10’s exclusive “Anel” backdoor and a tailored AsyncRAT variant on victim systems. 

MirrorFace is believed to operate under the umbrella of China’s APT10; the use of Anel (an implant previously seen only in APT10 operations) strongly links this campaign to Chinese state sponsorship​. The breach allowed the attackers to spy on communications and data within the European institute. MirrorFace’s expansion beyond its usual Japanese targets into Europe highlights China’s widening cyber-espionage ambitions in EMEA, with diplomatic and governmental organizations in its sights.

“Crafty Camel” – Iran-Linked APT Espionage in UAE Critical Infrastructure

• Victim Location: United Arab Emirates (Middle East)

• Sectors: Aviation and Operational Technology (OT) in critical infrastructure

• Threat Actor: “Crafty Camel” (codename for new Iran-aligned APT)

• Actor Motivations: Cyber espionage (regional intelligence gathering)

• Malware: Stealth backdoor delivered via polyglot files, BEC entry vector

A newly identified Iranian-linked APT dubbed “Crafty Camel” debuted with a laser-focused espionage attack on UAE companies​. Active since late 2024 and revealed in March 2025 [3], Crafty Camel compromised a legitimate business email account to launch convincing business email compromise (BEC) phishing at UAE aviation and defense firms​. The phishing emails carried “two-faced” polyglot files – files crafted to appear benign (like an image or PDF) while also executing code – which dropped a carefully concealed backdoor on targeted systems. This stealthy malware enabled persistent spying on a handful of high-value OT organizations in the UAE. 

Researchers note the campaign showed a high degree of stealth and targeting, with fewer than five organizations confirmed hit (likely more undetected)​. Crafty Camel’s activity aligns with Iranian state interests in regional infrastructure. Its use of novel polyglot file techniques and abuse of trusted email channels made this March operation particularly difficult to detect, emphasizing the evolving sophistication of Iran’s cyber-espionage efforts​.

Black Basta Rebrands as “Cactus” – Ransomware Pivot with BackConnect Malware

• Victim Location: United States and Europe (notably U.S. automotive and a Swedish firm)

• Sectors: Manufacturing (auto parts), Security technology, likely others

• Threat Actor: Black Basta (ransomware gang) → Cactus ransomware group

• Actor Motivations: Financial (ransomware extortion)

• Malware: Cactus ransomware; BackConnect persistence malware tool

Black Basta, a once-prolific ransomware outfit, saw internal turmoil and an apparent split in early 2025, leading key members to form a new group called “Cactus.” In March, Trend Micro and others observed that Cactus ransomware attacks mirrored Black Basta’s tactics [4], even using a new persistence tool BackConnect in both groups’ intrusions.This indicates Black Basta operators reinventing themselves under the Cactus name. 

By mid-March, the Cactus gang had already claimed notable victims – for example, KYB Americas (a U.S. auto parts manufacturer) and ASSA ABLOY (a Swedish security firm) were listed on Cactus’s leak site, with 1.8 TB and 229 GB of data stolen from each, respectively​. Cactus/Black Basta affiliates exploit known vulnerabilities (such as VPN appliance flaws) for initial access and use BackConnect malware to maintain stealthy control of victim networks​. Motivation is purely profit, and the group (in whatever form) continues to perform aggressive double extortion. The pivot from Black Basta to Cactus demonstrates the volatile nature of the ransomware ecosystem – threat actors rebranding and evolving their toolsets to evade law enforcement while continuing attacks unabated​

Latest Vulnerabilities and Exploits in March 2025

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

VMware ESXi Zero-Days – Critical VM Escape Exploited In the Wild

• Affected Vendor: VMware (Broadcom)

• Affected Product: VMware ESXi (virtualization hypervisor) and related products (Workstation, Fusion)

• Fixes: Patches released March 4, 2025 for ESXi (various versions) – admins urged to update before March 25 per CISA​.

A set of critical zero-day vulnerabilities in VMware ESXi was actively exploited in early March, allowing malicious VM users to escape to the host system​. The most severe, CVE-2025-22224, is an out-of-bounds write (heap overflow) in ESXi’s VCMI that lets an attacker with admin rights on a VM execute code on the host​. Over 37,000 ESXi servers exposed to the internet were initially found unpatched and vulnerable​. VMware (Broadcom) confirmed on March 4 that CVE-2025-22224, along with related flaws CVE-2025-22225 and CVE-2025-22226, were being exploited as zero-days in targeted attacks​. Microsoft’s Threat Intelligence Center discovered these exploits in the wild, though details on the attackers or targets remain undisclosed. 

In response, CISA added all three CVEs to its Known Exploited Vulnerabilities (KEV) catalog and set an aggressive patch deadline​. The mass scanning by Shadowserver showed thousands of systems in the U.S., France, Germany, and even Iran among the top at-risk ESXi hosts​.

This incident was a stark reminder of the need to promptly patch virtualization infrastructure – a successful VM escape can undermine an entire server’s security. 

Figure 1. CISA Added Four VMware Vulnerabilities to KEV 

Apache Tomcat RCE (CVE-2025-24813) – “Partial PUT” Exploit Actively Abused

• Affected Vendor: Apache Software Foundation

• Affected Product: Apache Tomcat (versions 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, 11.0.0-M1 to 11.0.2)

• Fixes: Update to Tomcat 9.0.99 / 10.1.35 / 11.0.3 or later, which were released March 10, 2025, patching the flaw​. Mitigations include disabling partial PUT support and setting readonly="true" on the default servlet​.

A critical remote code execution vulnerability in Tomcat, CVE-2025-24813, was disclosed on March 10 and within 30 hours exploits appeared on GitHub – leading to active attacks by mid-March. The flaw arises from Tomcat’s handling of partial HTTP PUT requests combined with its default session persistence. An attacker can send a crafted PUT request with a Base64-encoded malicious Java object to Tomcat’s file-based session store, then issue a GET with a session ID that tricks Tomcat into deserializing and executing the payload​. This yields full remote takeover of the server with no authentication required. 

Security researchers confirmed “dead simple” exploit attempts in the wild, which bypass many defenses since the payload is hidden in what looks like normal traffic (Base64 in a PUT body). Tomcat admins were urged to patch immediately or apply mitigations due to the ease of exploitation and the public availability of proof-of-concept code. CISA has since added CVE-2025-24813 to the KEV catalog, underscoring that this vulnerability is being leveraged by attackers. 

Ivanti Zero-Day (CVE-2025-22457) – VPN Appliance Exploited by Chinese APT

• Affected Vendor: Ivanti

• Affected Product: Ivanti Connect Secure (ICS) VPN appliances (also Pulse Secure and Ivanti Policy Secure products)

• Fixes: Patched in ICS version 22.7R2.6 on Feb 11, 2025 (initially thought low risk)​. After learning of exploitation, Ivanti reiterated patch urgency on April 3 and CISA added it to KEV in early April.

A critical stack buffer overflow in Ivanti’s VPN platforms, CVE-2025-22457, was actively exploited in mid-March as a zero-day by a suspected Chinese state-sponsored group​. The flaw, initially misclassified by Ivanti as a non-exploitable bug, actually allowed remote code execution on unpatched VPN gateways. Security researchers uncovered that the UNC5221 Chinese APT leveraged this vulnerability to breach Ivanti Connect Secure devices for espionage purposes [5]. Only a limited number of high-value targets were hit, and exploitation required a “sophisticated” approach, suggesting a skilled adversary​. The attackers likely reverse-engineered Ivanti’s February patch to develop an exploit, then quietly infiltrated organizations (potentially government or critical industry in the US/EU) via their VPN. Ivanti and CISA’s alert in late March urged all users to update immediately, correcting the earlier underestimation of the bug’s impact​. 

This incident highlights how threat actors (in this case, a China-nexus group) quickly weaponize overlooked “minor” flaws, and it reinforces the importance of patching network edge devices. 

Recent Malware Attacks in March 2025

In March 2025, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. 

Akira Ransomware Pivots to IoT – Encrypts Network via a WebCam to Evade Defense

• Victim Location: (Undisclosed specific victim, occurred in a corporate network – likely North America)

• Sectors: Any with IoT/embedded devices on network (demonstrated in an enterprise environment)

• Threat Actor: Akira ransomware gang (criminal RaaS group active since 2023)

• Actor Motivations: Financial (ransom payment)

• Malware: Akira ransomware (Windows and Linux variants)

In a novel attack observed in March 2025, the Akira ransomware gang demonstrated an unorthodox way to bypass security – by using an internet-connected web camera inside the victim’s network to deploy ransomware [6]​. According to incident responders, Akira initially breached a company and attempted to run its ransomware on Windows servers. However, the organization’s Endpoint Detection & Response (EDR) tools detected and blocked Akira’s encryption program on those machines​. 

Rather than give up, the attackers scanned the network for other connected devices and found a security webcam and a fingerprint scanner that were networked for physical security​. The webcam device ran an embedded Linux OS (with no EDR protection) and had known vulnerabilities (left unpatched by the victim)​. Akira exploited the vulnerable camera, and because its Linux variant of ransomware could run there, they turned the webcam into a pivot point to remotely encrypt files on network shares that the device could access​. 

Essentially, the gang leveraged an IoT device as a stealth ransomware launcher, evading the defenses on Windows systems. Ultimately, Akira encrypted a large portion of the network files via this camera and left the organization with a hefty ransom note​. Investigators noted that the camera’s firmware had patches available – highlighting that basic cyber hygiene could have prevented this clever attack vector. This incident is a stark illustration of attackers’ creativity: as corporate endpoints get better protected, criminals will target weaker links (like IoT devices, printers, or other unmanaged hardware) to achieve their goals. It urges organizations in the US and Europe to include IoT/OT devices in their threat models, as seen in this March 2025 Akira case where an IP camera became the unexpected conduit for a ransomware deployment​.

Malicious NPM Packages – Supply Chain Attacks on PayPal and Crypto Users

• Victim Location: Global (developers and end-users in North America, Europe)

• Sectors: Software Supply Chain; targets include e-commerce (PayPal) and cryptocurrency wallet users

• Threat Actor: Unnamed threat actor “tommyboy_h1/h2” (handle used to publish packages)​

• Actor Motivations: Financial theft (steal credentials and cryptocurrency)

• Malware: Trojanized NPM packages (e.g. oauth2-paypal, buttonfactoryserv-paypal, pdf-to-office)

In early March 2025, security teams uncovered a surge of malicious libraries on NPM – the JavaScript package repository – designed to harvest credentials and hijack cryptocurrency [7]​. Fortinet reported that a threat actor using the aliases “tommyboy_h1” and “tommyboy_h2”uploaded multiple packages with names mimicking PayPal SDKs (like oauth2-paypal)​. These packages contained a preinstall script that ran automatically upon installation, siphoning system info, PayPal auth tokens, and user passwords to an attacker-controlled server​. Separately, a package named pdf-to-office was published in March, targeting users of popular crypto wallets Atomic Wallet and Exodus​. 

Instead of converting PDFs, it would silently replace modules in those wallet apps to intercept and redirect cryptocurrency transactions – swapping out the recipient’s address with the attacker’s address whenever a user made a transfer​. This clever method effectively pickpocketed cryptocurrency without the user’s knowledge. These NPM supply-chain attacks illustrate the growing trend of attacking via open-source ecosystems. Developers and companies in the US and Europe who inadvertently installed these packages put their end-users at risk. The incidents prompted NPM to yank the bad packages, and CISA added the issue (CVE-2025-30066 for the GitHub Action variant) to its advisories. Overall, March saw software supply chain threats hit payment and crypto platforms especially hard​.

References

[1] “Lazarus APT Adds ‘ClickFix’ to Its Cybercrime Toolkit” – Dark Reading. Available: https://www.darkreading.com/cyberattacks-data-breaches/lazarus-apt-clickfix-bandwagon-attacks

[2] “Chinese Hacking Group MirrorFace Targeting European Diplomatic Institute” – SecurityWeek. Available: https://www.securityweek.com/chinese-hacking-group-mirrorface-targeting-europe

[3] “Crafty Camel APT Targets Aviation and OT Firms Using Polyglot Files” – Dark Reading. Available: https://www.darkreading.com/ics-ot-security/crafty-camel-apt-aviation-ot-polygot-files

[4] “Black Basta Ransomware Operators Pivot to New Group ‘Cactus’” – Dark Reading. Available: https://www.darkreading.com/threat-intelligence/black-basta-pivots-cactus-ransomware-group

[5] “Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)” – Google Cloud Blog, Apr. 03, 2025. Available: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability

[6] B. Toulas, “Ransomware Gang Encrypted Network From a Webcam to Bypass EDR” – BleepingComputer, Mar. 06, 2025. Available: https://www.bleepingcomputer.com/news/security/ransomware-gang-encrypted-network-from-a-webcam-to-bypass-edr/

[7] “Malicious NPM Packages Target Cryptocurrency and PayPal Users” – SecurityWeek. Available: https://www.securityweek.com/malicious-npm-packages-target-cryptocurrency-paypal-users