@techradar.com
//
State-sponsored hacking groups from North Korea, Iran, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware. This technique, which tricks users into clicking malicious links or executing malicious commands, has been adopted by advanced persistent threat (APT) groups, demonstrating the evolving nature of cyber threats and the increasing fluidity of tactics in the threat landscape. Researchers have observed these groups incorporating ClickFix into their espionage operations between late 2024 and early 2025.
Proofpoint researchers documented this shift, noting that the incorporation of ClickFix is replacing the installation and execution stages in existing infection chains. The technique involves using dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines. These commands, often disguised as solutions to fake error messages or security alerts, ultimately lead to the execution of harmful scripts. This dual-pronged approach makes ClickFix particularly insidious, as it leverages human interaction to bypass traditional security measures like antivirus software and firewalls.
Specific examples of ClickFix campaigns include North Korea's TA427 targeting think tanks with spoofed emails and malicious PowerShell commands, and Iran's TA450 targeting organizations in the Middle East with fake Microsoft security updates. Russian-linked groups, such as UNK_RemoteRogue and TA422, have also experimented with ClickFix, distributing infected Word documents or using Google spreadsheet mimics to execute PowerShell commands. Experts warn that while some groups experimented with the technique in limited campaigns before returning to standard tactics, this attack method is expected to become more widely tested or adopted by threat actors.
References :
- gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
- The Hacker News: Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware
- www.scworld.com: Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
- www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
- cyberpress.org: State-Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
- cybersecuritynews.com: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
- Cyber Security News: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
- gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
- Cyber Security News: State Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
- www.techradar.com: State-sponsored actors spotted using ClickFix hacking tool developed by criminals
- BleepingComputer: ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks.
- securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- hackread.com: State-Backed Hackers from North Korea, Iran and Russia Use ClickFix in New Espionage Campaigns
- hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
- www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
- sra.io: Beware of ClickFix: A Growing Social Engineering Threat
- The DefendOps Diaries: The Rise of ClickFix: A New Social Engineering Threat
- Anonymous ???????? :af:: ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.
- Know Your Adversary: 112. State-Sponsored Threat Actors Adopted ClickFix Technique
- www.itpro.com: State-sponsored cyber groups are flocking to the ‘ClickFix’ social engineering technique for the first time – and to great success.
- Proofpoint Threat Insight: Proofpoint researchers discovered state-sponsored actors from North Korea, Iran and Russia experimenting in multiple campaigns with the ClickFix social engineering technique as a stage in their infection chains.
- www.it-daily.net: ClickFix: From cyber trick to spy weapon
Classification:
Bill Mann@CyberInsider
//
A critical unpatched zero-day vulnerability in Microsoft Windows is being actively exploited by 11 state-sponsored threat groups for espionage, data theft, and financially motivated campaigns since 2017. The flaw, tracked as ZDI-CAN-25373, involves the use of crafted Windows Shortcut (.LNK) files to execute hidden malicious commands. This allows attackers to gain unauthorized access to systems, steal sensitive data, and potentially conduct cyber espionage activities targeting governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies across multiple countries.
The attacks leverage hidden command line arguments within the malicious .LNK files, making detection difficult by padding the arguments with whitespace characters. Nearly 1,000 .LNK file artifacts exploiting the vulnerability have been found, and linked to APT groups from China, Iran, North Korea, and Russia. In these attacks, the .LNK files act as a delivery vehicle for malware families like Lumma Stealer, GuLoader, and Remcos RAT. Microsoft considers the issue a low severity user interface misrepresentation and does not plan to release a fix.
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- CyberInsider: Microsoft Declines to Fix Actively Exploited Windows Zero-Day Vulnerability
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: 11 nation-state groups exploit unpatched Microsoft zero-day
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- securityonline.info: A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of the
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Threats | CyberScoop: Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
Classification:
- HashTags: #APT #ZeroDay #Espionage
- Company: Microsoft
- Target: Various organizations
- Attacker: State-sponsored groups
- Product: Windows
- Feature: lnk file execution
- Malware: lnk
- Type: Espionage
- Severity: Major
|
|
FlagThis - #statesponsored
