State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns

The state-sponsored hackers from North Korea, Iran, and Russia have begunp deploying the ClickFix social engineering technique, traditionally associated with cybercriminal activities, into their espionage operations.

This shift was first documented by Proofpoint researchers over a three-month period from late 2024 into early 2025 where these actors employed ClickFix in routine activities.

The Emergence of ClickFix

ClickFix, a creative method that utilizes dialogue boxes to coax victims into copying, pasting, and running malicious commands, has emerged as a significant tool in the cyber arsenal of state-sponsored groups.

The technique disguises itself with authoritative alerts from the operating system, guiding the user through a series of fake error resolutions that ultimately lead to the execution of harmful scripts.

Initially observed in global cybercrime landscapes in early 2024, it is now making its mark in espionage campaigns.

North Korean actor TA427, also known as Kimsuky or Emerald Sleet, was observed utilizing ClickFix in their infection chain.

Targeting think tanks involved in North Korean affairs, TA427 initiated contact through spoofed meeting requests from diplomats, leading the targets into a trap where they were tricked into running a PowerShell command.

This command fetched and executed additional scripts, culminating in the installation of QuasarRAT, a malware known for its use in cybercriminal activities.

Iranian Cyber Operations

Iran’s TA450, or MuddyWater, targeted 39 organizations across the Middle East with an English-language phishing campaign.

Masquerading as a security update from Microsoft, the attackers used ClickFix to deploy remote management and monitoring (RMM) software.

This allowed TA450 operators to conduct espionage and data exfiltration, marking the first instance of this group using the Level RMM tool around November 2024.

Russian-linked groups, including UNK_RemoteRogue and TA422 (also known as Sofacy or APT28), have also tested ClickFix.

According to the Report, UNK_RemoteRogue sent targeted messages to defense sector entities, directing them to a malware-laden web page.

TA422, in a separate campaign, used a Google spreadsheet mimic to execute PowerShell commands, establishing SSH tunnels and deploying Metasploit.

This increased adoption of ClickFix underscores the fluidity of cyber tactics, where innovative criminal strategies are rapidly assimilated into state-backed cyber operations, challenging cybersecurity professionals to adapt to an ever-evolving threat landscape.

Indicators of Compromise (IoC)

To help protect against such threats, here are some key indicators associated with these campaigns:

Type	Description	First Seen
Email address	yasuyuki.ebata21@proton[.]me	February 2025
Email address	eunsoolim29@gmail[.]com	January 2025
IP	115.92.4[.]123 (likely compromised)	January 2025
Domain	securedrive.networkguru[.]com	January 2025
URL	hxxps://securedrive.fin-tech[.]com/docs/en/	January 2025
SHA256	06816634fb019b6ed276d36f414f3b36f99b845ddd1015c2b84a34e0b8d7f083 (Letter from Ambassador Cho Hyun-Dong.pdf)	January 2025
SHA256	0ff9c4bba39d6f363b9efdfa6b54127925b8c606ecef83a716a97576e288f6dd (temp.vbs)	January 2025

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!