State-sponsored hackers embrace ClickFix social engineering tactic

Proofpoint reports that APT28, a GRU unit, also used ClickFix as early as October 2024, using phishing emails mimicking a Google Spreadsheet, a reCAPTCHA step, and PowerShell execution instructions conveyed via a pop-up. ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns. Microsoft's Threat Intelligence team reported last February that the North Korean state actor 'Kimsuky' was also using it as part of a fake "device registration" web page. A new report from Proofpoint reveals that, between late 2024 and early 2025, Kimsuky (North Korea), MuddyWater (Iran), and also APT28 and UNK_RemoteRogue (Russia) have all used ClickFix in their targeted espionage operations. After establishing trust, the attackers sent a malicious PDF file linking to a fake secure drive that prompted the target to "register" by manually copying a PowerShell command into their terminal. The MuddyWater attacks took place in mid-November 2024, targeting 39 organizations in the Middle East with emails disguised as Microsoft security alerts. The third case concerns the Russian threat group UNK_RemoteRogue, which targeted two organizations closely related to a major arms manufacturer in December 2024. Clicking on the embedded link took targets to a fake Microsoft Word page with instructions in Russian and a YouTube video tutorial. ClickFix remains an effective method, as evidenced by its adoption across multiple state-backed groups, driven by the lack of awareness of unsolicited command execution. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Running the code executed JavaScript that launched PowerShell to connect to a server running the Empire command and control (C2) framework. Victims are then prompted to click a "Fix" button, which instructs them to run a PowerShell or command-line script, leading to the execution of malware on their devices. Starting with Kimsuky, the attacks were observed between January and February 2025, targeting think tanks focused on North Korea-related policy.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 21 Apr 2025 13:55:03 +0000


Cyber News related to State-sponsored hackers embrace ClickFix social engineering tactic

Social Engineering Attacks: Tactics and Prevention - Social engineering attacks have become a significant concern in today's digital landscape, posing serious risks to the security and sensitive information of individuals and organizations. By comprehending these tactics and implementing preventive ...
1 year ago Securityzap.com
Social Engineering: The Art of Human Hacking - Social engineering exploits this vulnerability by manipulating human psychology and emotions to gain unauthorized access to systems and data. Rather than directly breaking cyber defenses, social engineering tactics exploit human vulnerabilities - ...
1 year ago Offsec.com
State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns - While currently limited to experimental usage by these state-sponsored groups, the increasing popularity of ClickFix in both cybercrime and espionage campaigns suggests the technique will likely become more widely adopted as threat actors continue to ...
1 month ago Cybersecuritynews.com Kimsuky MuddyWater
Hacker Conversations: Stephanie 'Snow' Carruthers, Chief People Hacker at IBM X-Force Red - Social engineering is effectively hacking human thought processes. Social engineering is a major factor in the overall process but is not directly part of repurposing electronic systems. A social engineer is usually classified as a hacker, and is ...
1 year ago Securityweek.com
Interlock ransomware gang pushes fake IT tools in ClickFix attacks - The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. Though this isn't the first time ClickFix has been linked to ransomware infections, ...
1 month ago Bleepingcomputer.com
Social Engineering Awareness: How CISOs And SOC Heads Can Protect The Organization - By combining advanced technical controls with continuous training and a culture of security awareness, CISOs and SOC leaders can significantly reduce the risk of successful attacks. As technical defenses evolve and strengthen, attackers have shifted ...
1 month ago Cybersecuritynews.com
State-sponsored hackers embrace ClickFix social engineering tactic - Proofpoint reports that APT28, a GRU unit, also used ClickFix as early as October 2024, using phishing emails mimicking a Google Spreadsheet, a reCAPTCHA step, and PowerShell execution instructions conveyed via a pop-up. ClickFix attacks are gaining ...
1 month ago Bleepingcomputer.com APT28 Kimsuky MuddyWater
Hackers Employ New ClickFix Captcha Technique to Deliver Ransomware - The integration of Qakbot with the ClickFix technique allows attackers to bypass traditional security measures by leveraging user interaction to execute malicious commands. A sophisticated social engineering technique known as ClickFix has emerged, ...
2 months ago Cybersecuritynews.com
New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint - A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the ...
2 months ago Bleepingcomputer.com
Combatting Social Engineering - One popular cyber-attack method known as social engineering leverages human psychology to gather information and perform attacks instead. Social engineering is the psychological manipulation of people into performing actions or divulging confidential ...
1 year ago Cyberdefensemagazine.com
Social Justice: a global perspective - Today, we commemorate World Day of Social Justice and honor those across the globe who stand for the equitable access to opportunities within societies where individuals' rights are recognized and protected. I have the distinct honor of leading the ...
1 year ago Feedpress.me
Hackers now testing ClickFix attacks against Linux targets - A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. However, it is possible that APT36 is currently experimenting to ...
2 weeks ago Bleepingcomputer.com Transparent Tribe APT3
AI and the Evolution of Social Media - A decade ago, social media was celebrated for sparking democratic uprisings in the Arab world and beyond. In a 2022 survey, Americans blamed social media for the coarsening of our political discourse, the spread of misinformation, and the increase in ...
1 year ago Securityboulevard.com
ClickFix attack delivers infostealers, RATs in fake Booking.com emails - Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect hospitality workers with various malware, including infostealers and RATs. In the phishing campaign discovered by ...
2 months ago Bleepingcomputer.com
iClicker hack targeted students with malware via fake CAPTCHA - The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. According to a security alert from the ...
2 weeks ago Bleepingcomputer.com
OpenAI blocks state-sponsored hackers from using ChatGPT - OpenAI has removed accounts used by state-sponsored threat groups from Iran, North Korea, China, and Russia, that were abusing its artificial intelligence chatbot, ChatGPT. The AI research organization took action against specific accounts associated ...
1 year ago Bleepingcomputer.com Turla
Holiday Hackers: How to Safeguard Your Service Desk - Hackers really don't take holidays, but they will take advantage of them. Many of these cyberattacks will zero in on the service or help desk to gain entry into network systems. Recovering accounts because of forgotten passwords is one of the ...
1 year ago Bleepingcomputer.com
North Korean hackers adopt ClickFix attacks to target crypto firms - Sekoia says that Lazarus impersonates numerous well-known companies in the latest campaign, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, from which the North Korean threat actors recently stole a ...
2 months ago Bleepingcomputer.com
How software engineering will evolve in 2024 - From artificial intelligence and digital twin technologies, to platform engineering rooted in devops principles, to chaos engineering techniques that enhance resilience, to the expanded use of internal developer portals that boost productivity, ...
1 year ago Infoworld.com
Iran's Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector - In its latest campaign, Iranian state-backed hackers, Peach Sandstorm, employs FalseFont backdoor for intelligence gathering on behalf of the Iranian government. Cybersecurity researchers at Microsoft Threat Intelligence Unit have uncovered the ...
1 year ago Hackread.com
The Psychology of Social Engineering - What Security Leaders Should Know - Creating a security culture that addresses the psychological dimensions of social engineering requires a fundamental shift in how security leaders approach human vulnerability. When examining security incidents, leaders often focus on which technical ...
1 month ago Cybersecuritynews.com
The Psychology of Social Engineering - What Security Leaders Should Know - Creating psychological resilience against social engineering demands that security leaders adopt a fundamentally different approach to human security aspects. Effective security leaders understand that building true organizational resilience requires ...
1 month ago Cybersecuritynews.com
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies - After Sandworm and APT28, another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. APT29 is tracked under different names and has been targeting embassy entities with a BMW car ...
1 year ago Bleepingcomputer.com CVE-2023-38831 APT28 APT29
ClickFix Captcha - A Creative Technique That Allow Attackers Deliver Malware and Ransomware on Windows - This technique, known as ClickFix Captcha, exploits users’ trust in familiar web elements to bypass traditional security measures and deliver malicious payloads to Windows systems. The researchers noted the commands typically invoke PowerShell ...
2 months ago Cybersecuritynews.com
Lampion Banking Malware Employs ClickFix Lures To Steal Banking Information - Once executed, the malware begins its covert operation to harvest banking credentials, credit card information, and other sensitive financial data from compromised systems. A sophisticated banking trojan known as Lampion has resurfaced with an ...
3 weeks ago Cybersecuritynews.com