Full Report
Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware over a three-month period from late 2024 through the beginning of 2025. The phishing campaigns adopting the strategy have been attributed to clusters tracked as TA427 (aka Kimsuky), TA450 (aka MuddyWater,
Analysis Summary
# Threat Actor: TA427 (Kimsuky)
## Attribution & Identity
Attributed to North Korea. Known aliases include Kimsuky.
## Activity Summary
TA427 was detected using the 'ClickFix' social engineering tactic in January and February 2025. This was part of a phishing campaign targeting individuals in less than five organizations within the think tank sector. Initial contact was reportedly made via a meeting request from a spoofed sender concerning North Korean affairs, followed by trust-building conversation, and directing the target to an attacker-controlled site to run a malicious PowerShell command. The activity culminated in the deployment of Quasar RAT.
## Tactics, Techniques & Procedures
- Leveraging the social engineering tactic known as 'ClickFix' to trick users into running malicious commands.
- Using meeting requests from spoofed senders to initiate contact.
- Utilizing a multi-stage attack chain initiated by a PowerShell command.
- Creating a scheduled task to run a VBScript every 19 minutes for persistence.
- **Infection Chain Details (TA427 specific):**
1. Initial contact via email (meeting request).
2. Trust building via conversation.
3. Directing victim to a fake landing page (mimicking Japanese Embassy) to run a PowerShell command under the guise of device registration.
4. PowerShell command fetches and executes a second remote PowerShell command.
5. The second script creates and executes a decoded Quasar RAT payload.
## Targeting
- Sectors: Think tank sector.
- Geography: Not explicitly detailed geographically for this specific campaign, but targets are related to North Korean affairs.
- Victims: Individuals in less than five organizations in the think tank sector.
## Tools & Infrastructure
- Malware families used: Quasar RAT (an open-source remote access trojan).
- Infrastructure (C2, domains, IPs): Attacker-controlled site used for initial payload hosting.
## Implications
TA427's adoption of ClickFix indicates the group is integrating modern, user-interaction-heavy initial access techniques into their established espionage campaigns. This suggests an adaptation away from traditional direct malware execution toward deceptive user-driven infection chains.
## Mitigations
- User education regarding the 'ClickFix' technique (i.e., instructions to copy, paste, and run commands under the guise of 'fixing' an issue or verification).
- Vigilance when receiving meeting requests, especially if the context involves sensitive geopolitical topics, and inspecting sender profiles thoroughly.
***
# Threat Actor: TA450 (MuddyWater)
## Attribution & Identity
Attributed to Iran. Known aliases include MuddyWater, UNK\_RemoteRogue (Note: The text appears to conflate UNK\_RemoteRogue with TA450/MuddyWater in one section, but TA450 is clearly linked to Iran).
## Activity Summary
The Iran-linked MuddyWater group adopted the ClickFix technique to deploy legitimate Remote Monitoring and Management (RMM) software, specifically Level, to maintain persistent access. The phishing emails were sent around November 13-14, 2024, coinciding with Microsoft Patch Tuesday, masquerading as security updates. Victims were persuaded to run a PowerShell command with administrator privileges to install the RMM tool.
## Tactics, Techniques & Procedures
- Leveraging the 'ClickFix' social engineering technique.
- Masquerading emails as security updates from Microsoft.
- Persuading targets to run a PowerShell command with *administrator privileges*.
- **Infection Chain Details (TA450 specific):**
1. Initial phishing email referencing a supposed vulnerability requiring urgent remediation.
2. Target runs a PowerShell command provided in the email body with admin rights.
3. Command installs remote management and monitoring (RMM) software (**Level**).
4. Operators use the RMM tool for espionage and data exfiltration.
## Targeting
- Sectors: Finance, government, health, education, and transportation sectors.
- Geography: Middle East (emphasis on UAE and Saudi Arabia), Canada, Germany, Switzerland, and the United States.
- Victims: Organizations within the targeted sectors across listed geographies.
## Tools & Infrastructure
- Malware families used: Level (used as a legitimate RMM tool for persistence).
- Infrastructure (C2, domains, IPs): Not detailed beyond the use of the installed RMM C2 channels for post-exploitation.
## Implications
TA450 is using ClickFix to establish persistent, legitimate-looking backdoors (via RMM tools). Targeting critical sectors across the Middle East and the West suggests an ongoing strategic espionage mandate tied to Iranian national interests. Their timing near Patch Tuesday shows opportunistic timing.
## Mitigations
- Strict policy against running PowerShell commands from untrusted emails, even if framed as security or administrative tasks.
- Implementing strong restrictions on which users possess administrator rights for routine operations.
- Monitoring for the installation and execution of non-standard RMM software during business hours.
***
# Threat Actor: UNK\_RemoteRogue
## Attribution & Identity
Suspected Russian state-sponsored group. (Note: The description confusingly mentions TA422/APT28 alongside UNK\_RemoteRogue as adopting ClickFix; however, UNK\_RemoteRogue's specific TTPs are detailed separately.)
## Activity Summary
Observed adopting the ClickFix bandwagon towards the end of 2024. Lure emails were sent from likely compromised Zimbra servers, directing victims to a Microsoft Office document link. The link displayed instructions to copy code from the browser into the terminal, accompanied by a YouTube tutorial on running PowerShell. This ultimately executed code linked to the Empire C2 framework. The campaign targeted two specific organizations associated with a major arms manufacturer in the defense industry.
## Tactics, Techniques & Procedures
- Leveraging the 'ClickFix' social engineering technique.
- Using emails originating from compromised **Zimbra** servers as a delivery vector.
- Providing instructions to copy code directly from the browser into the terminal/console.
- Using a linked **YouTube video tutorial** to guide users on running PowerShell.
- PowerShell command executed includes capabilities to run JavaScript that executes subsequent PowerShell code.
- **Observed framework:** Empire command-and-control (C2) framework.
- Shared infrastructure overlap with another campaign targeting defense/aerospace entities regarding the Ukraine conflict (suggesting alignment with Russian intelligence objectives).
## Targeting
- Sectors: Defense industry (major arms manufacturer).
- Geography: Not explicitly detailed, but linked to conflict in Ukraine indirectly via infrastructure overlap.
- Victims: Individuals in two organizations associated with a major arms manufacturer.
## Tools & Infrastructure
- Malware families used: Empire command-and-control (C2) framework components.
- Infrastructure (C2, domains, IPs): Likely compromised Zimbra servers used for initial delivery; Empire C2 used for post-exploitation communications.
## Implications
This group exhibits tradecraft common in Russian intelligence operations, including leveraging compromised infrastructure (Zimbra) and integrating tutorial content (YouTube) to ensure successful execution of complex, multi-step attacks against high-value defense targets.
## Mitigations
- Immediate patching and securing of mail servers, particularly Zimbra deployment.
- Improved monitoring for behavioral anomalies post-terminal input resulting from web browser content.
- Restricting or auditing the use of the Empire C2 framework within the environment.
***
# Threat Actor: TA422 (APT28)
*(Note: TA422/APT28 is listed as one of the groups adopting ClickFix, but no specific, unique TTPs or targets related *only* to TA422's ClickFix usage are detailed in the article, unlike the others.)*
## Attribution & Identity
Attributed to Russia. Known aliases include APT28.
## Activity Summary
Mentioned as one of the state-sponsored actors that has been observed leveraging the ClickFix social engineering tactic over the three-month surveillance period (late 2024/early 2025).
## Tactics, Techniques & Procedures
- Utilized the general 'ClickFix' social engineering technique.
## Targeting
- Specific targeting for TA422's ClickFix campaigns was not detailed beyond the generalized observation.
## Tools & Infrastructure
- Not specified in detail within this report's unique findings for TA422.
## Implications
TA422's inclusion confirms the widespread adoption of this specific user-driven infection strategy across major Russian state-sponsored entities.
## Mitigations
- General defense against user-driven execution of code following unexpected instructions.