CyberSecurity news
FlagThis
@techradar.com
//
State-sponsored hacking groups from North Korea, Iran, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware. This technique, which tricks users into clicking malicious links or executing malicious commands, has been adopted by advanced persistent threat (APT) groups, demonstrating the evolving nature of cyber threats and the increasing fluidity of tactics in the threat landscape. Researchers have observed these groups incorporating ClickFix into their espionage operations between late 2024 and early 2025.
Proofpoint researchers documented this shift, noting that the incorporation of ClickFix is replacing the installation and execution stages in existing infection chains. The technique involves using dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines. These commands, often disguised as solutions to fake error messages or security alerts, ultimately lead to the execution of harmful scripts. This dual-pronged approach makes ClickFix particularly insidious, as it leverages human interaction to bypass traditional security measures like antivirus software and firewalls.
Specific examples of ClickFix campaigns include North Korea's TA427 targeting think tanks with spoofed emails and malicious PowerShell commands, and Iran's TA450 targeting organizations in the Middle East with fake Microsoft security updates. Russian-linked groups, such as UNK_RemoteRogue and TA422, have also experimented with ClickFix, distributing infected Word documents or using Google spreadsheet mimics to execute PowerShell commands. Experts warn that while some groups experimented with the technique in limited campaigns before returning to standard tactics, this attack method is expected to become more widely tested or adopted by threat actors.
ImgSrc: cdn.mos.cms.fut
References :
Proofpoint researchers documented this shift, noting that the incorporation of ClickFix is replacing the installation and execution stages in existing infection chains. The technique involves using dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines. These commands, often disguised as solutions to fake error messages or security alerts, ultimately lead to the execution of harmful scripts. This dual-pronged approach makes ClickFix particularly insidious, as it leverages human interaction to bypass traditional security measures like antivirus software and firewalls.
Specific examples of ClickFix campaigns include North Korea's TA427 targeting think tanks with spoofed emails and malicious PowerShell commands, and Iran's TA450 targeting organizations in the Middle East with fake Microsoft security updates. Russian-linked groups, such as UNK_RemoteRogue and TA422, have also experimented with ClickFix, distributing infected Word documents or using Google spreadsheet mimics to execute PowerShell commands. Experts warn that while some groups experimented with the technique in limited campaigns before returning to standard tactics, this attack method is expected to become more widely tested or adopted by threat actors.
ImgSrc: cdn.mos.cms.fut
Share:
References :
- gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
- The Hacker News: Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware
- www.scworld.com: Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
- www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
- cyberpress.org: State-Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
- cybersecuritynews.com: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
- Cyber Security News: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
- gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
- Cyber Security News: State Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
- www.techradar.com: State-sponsored actors spotted using ClickFix hacking tool developed by criminals
- BleepingComputer: ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks.
- securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- hackread.com: State-Backed Hackers from North Korea, Iran and Russia Use ClickFix in New Espionage Campaigns
- hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
- www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
- sra.io: Beware of ClickFix: A Growing Social Engineering Threat
- The DefendOps Diaries: The Rise of ClickFix: A New Social Engineering Threat
- Anonymous ???????? :af:: ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.
- Know Your Adversary: 112. State-Sponsored Threat Actors Adopted ClickFix Technique
- www.itpro.com: State-sponsored cyber groups are flocking to the ‘ClickFix’ social engineering technique for the first time – and to great success.
- Proofpoint Threat Insight: Proofpoint researchers discovered state-sponsored actors from North Korea, Iran and Russia experimenting in multiple campaigns with the ClickFix social engineering technique as a stage in their infection chains.
- www.it-daily.net: ClickFix: From cyber trick to spy weapon
Classification:
- HashTags: #SocialEngineering #ClickFix #StateSponsored
- Company: Trend Micro
- Target: Users
- Product: Powershell
- Feature: ClickFix
- Malware: Powershell
- Type: Hack
- Severity: Medium