State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns

While currently limited to experimental usage by these state-sponsored groups, the increasing popularity of ClickFix in both cybercrime and espionage campaigns suggests the technique will likely become more widely adopted as threat actors continue to refine their social engineering approaches. Security researchers have identified a concerning trend in the cyber threat landscape as state-sponsored hackers from multiple countries have begun adopting a relatively new social engineering technique called “ClickFix” in their espionage operations. Proofpoint researchers noted that over a relatively short three-month period from late 2024 through early 2025, state-sponsored threat actors from North Korea, Iran, and Russia all incorporated the ClickFix technique into their routine espionage campaigns. The migration of ClickFix from cybercriminal to state-sponsored usage represents a notable shift in the threat landscape, as it effectively replaces traditional installation and execution stages in existing infection chains with a method that leverages human interaction to bypass security measures. The technique, which emerged in early March 2024 in cybercriminal circles, has rapidly gained popularity among advanced persistent threat (APT) groups due to its effectiveness in bypassing traditional security controls. Similar techniques were observed in campaigns by Iranian group TA450 (also known as MuddyWater) and Russian threat actors, each adapting ClickFix to their existing tactics and infrastructure. Despite its growing popularity, researchers observed that most groups experimented with the technique in limited campaigns before returning to their standard operational tactics. ClickFix represents a creative social engineering approach that employs dialogue boxes with instructions to trick victims into copying, pasting, and running malicious commands on their machines. One particularly sophisticated application was observed in campaigns associated with TA427, a threat actor linked to North Korea (also known as Kimsuky or Emerald Sleet).

This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 19 Apr 2025 14:25:13 +0000


Cyber News related to State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns

State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns - While currently limited to experimental usage by these state-sponsored groups, the increasing popularity of ClickFix in both cybercrime and espionage campaigns suggests the technique will likely become more widely adopted as threat actors continue to ...
3 months ago Cybersecuritynews.com Kimsuky MuddyWater
ClickFix Attack Emerges by Over 500% - Hackers Actively Using This Technique to Trick Users - The attack presents victims with fake error messages or verification prompts that appear legitimate, instructing them to copy and paste seemingly harmless commands to resolve fictitious technical issues. Unlike traditional attack methods, ClickFix ...
1 month ago Cybersecuritynews.com Kimsuky Lazarus Group MuddyWater APT3
Hackers Employ New ClickFix Captcha Technique to Deliver Ransomware - The integration of Qakbot with the ClickFix technique allows attackers to bypass traditional security measures by leveraging user interaction to execute malicious commands. A sophisticated social engineering technique known as ClickFix has emerged, ...
4 months ago Cybersecuritynews.com
Cybersecurity Awareness Campaigns in Education - Cybersecurity awareness campaigns in education are essential to protect digital systems and information. The target audience for cybersecurity awareness campaigns in education includes students, teachers, administrators, and other staff members. ...
1 year ago Securityzap.com
State-sponsored hackers embrace ClickFix social engineering tactic - Proofpoint reports that APT28, a GRU unit, also used ClickFix as early as October 2024, using phishing emails mimicking a Google Spreadsheet, a reCAPTCHA step, and PowerShell execution instructions conveyed via a pop-up. ClickFix attacks are gaining ...
3 months ago Bleepingcomputer.com APT28 Kimsuky MuddyWater
Kimsuky Hackers Using ClickFix Technique to Execute Malicious Scripts on Victim Machines - Cyber Security News - The attackers impersonate legitimate entities, including government officials, news correspondents, and security personnel, to establish trust before delivering malicious payloads through encrypted archives or deceptive websites designed to mimic ...
1 month ago Cybersecuritynews.com Kimsuky
Chinese Hackers Exploit Microsoft Exchange Servers to Steal COVID-19 Research Data - A sophisticated cyberattack orchestrated by Chinese state-sponsored hackers has exposed vulnerabilities in the global cybersecurity infrastructure, targeting critical COVID-19 research from American universities and exploiting Microsoft Exchange ...
4 weeks ago Cybersecuritynews.com HAFNIUM
Interlock ransomware gang pushes fake IT tools in ClickFix attacks - The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. Though this isn't the first time ClickFix has been linked to ransomware infections, ...
3 months ago Bleepingcomputer.com
8-Year Old Windows Shortcut Zero-Day Exploited by 11 State-Sponsored Groups - Some North Korean threat actors, such as Earth Manticore (APT37) and Earth Imp (Konni), have been using extremely large .lnk files – with sizes up to 70.1 MB – containing excessive whitespace and junk content to further evade detection. ...
4 months ago Cybersecuritynews.com APT37 APT3
Feds Disrupt Botnet Used by Russian APT28 Hackers - Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies. APT28, an ...
1 year ago Securityboulevard.com Fancy Bear APT28 Volt Typhoon
Interlock ransomware adopts FileFix method to deliver malware - In the FileFix variation, the attacker weaponizes trusted Windows UI elements, such as File Explorer and HTML Applications (.HTA), to trick users into executing malicious PowerShell or JavaScript code without displaying any security warnings. This ...
3 weeks ago Bleepingcomputer.com
Inside a Real Clickfix Attack: How This Social Engineering Hack Unfolds - Coined initially as “ClickFix” because the social engineering prompts were telling the user they ought to “fix” a problem with their browser and required the user to click an element, this term is now ascribed to any similar ...
1 week ago Bleepingcomputer.com
Weekly Cybersecurity Recap : Sharepoint 0-day, Vmware Exploitation, Threats and Cyber Attacks - Tracked as CVE-2025-12345, this flaw allows remote code execution (RCE) without authentication, potentially enabling attackers to compromise sensitive data or deploy malware on affected servers. The U.S. Cybersecurity and Infrastructure Security ...
1 week ago Cybersecuritynews.com CVE-2025-12345 APT41
APT Hackers Attacking Maritime and Shipping Industry to Launch Ransomware Attacks - The Turla/Tomiris group has particularly refined this approach, utilizing infected USB drives containing industrial espionage tools that eventually deploy ransomware across entire fleet management networks, effectively holding maritime operations ...
1 week ago Cybersecuritynews.com Mustang Panda CVE-2022-22707 APT41 Turla
China-Sponsored Attackers Target 40K Corporate Users in 90 Days - Three novel credential-phishing campaigns have emerged from state-sponsored actors that have compromised at least 40,000 corporate users - including top-level executives - in just three months' time, researchers have found. The attacks target a range ...
1 year ago Darkreading.com
ClickFix Captcha - A Creative Technique That Allow Attackers Deliver Malware and Ransomware on Windows - This technique, known as ClickFix Captcha, exploits users’ trust in familiar web elements to bypass traditional security measures and deliver malicious payloads to Windows systems. The researchers noted the commands typically invoke PowerShell ...
4 months ago Cybersecuritynews.com
Hackers now testing ClickFix attacks against Linux targets - A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. However, it is possible that APT36 is currently experimenting to ...
2 months ago Bleepingcomputer.com Transparent Tribe APT3
New LUMMAC.V2 Stealer Using ClickFix Technique to Trick Users in Execute Malicious Commands - Cyber Security News - The LUMMAC.V2 campaign represents a significant threat not only due to its extensive data theft capabilities but also because it exploits human behavior rather than technical vulnerabilities, making traditional security measures less effective at ...
3 months ago Cybersecuritynews.com
North Korean hackers adopt ClickFix attacks to target crypto firms - Sekoia says that Lazarus impersonates numerous well-known companies in the latest campaign, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, from which the North Korean threat actors recently stole a ...
4 months ago Bleepingcomputer.com
New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint - A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the ...
5 months ago Bleepingcomputer.com
iClicker hack targeted students with malware via fake CAPTCHA - The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. According to a security alert from the ...
2 months ago Bleepingcomputer.com
FBI disrupts Moobot botnet used by Russian military hackers - The FBI took down a botnet of small office/home office routers used by Russia's Main Intelligence Directorate of the General Staff in spearphishing and credential theft attacks targeting the United States and its allies. This network of hundreds of ...
1 year ago Bleepingcomputer.com Fancy Bear APT28 Turla Volt Typhoon
ClickFix attack delivers infostealers, RATs in fake Booking.com emails - Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect hospitality workers with various malware, including infostealers and RATs. In the phishing campaign discovered by ...
4 months ago Bleepingcomputer.com
Hackers breach Australian court hearing database - The court system for Australia's second-most-populated state was hit by a ransomware attack that potentially exposed sensitive recordings of some court hearings. Court Services Victoria, an administrative body that supports the operations of the ...
1 year ago Therecord.media Qilin
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies - After Sandworm and APT28, another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. APT29 is tracked under different names and has been targeting embassy entities with a BMW car ...
1 year ago Bleepingcomputer.com CVE-2023-38831 APT28 APT29