Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware over a three-month period from late 2024 through the beginning of 2025.
The phishing campaigns adopting the strategy have been attributed to clusters tracked as TA427 (aka Kimsuky), TA450 (aka MuddyWater), UNK_RemoteRogue, and TA422 (aka APT28).
ClickFix has been an initial access technique primarily affiliated with cybercrime groups, although the effectiveness of the approach has led to it also being adopted by nation-state groups.
“The incorporation of ClickFix is not revolutionizing the campaigns carried out by TA427, TA450, UNK_RemoteRogue, and TA422 but instead is replacing the installation and execution stages in existing infection chains,” enterprise security firm Proofpoint said in a report published today.
ClickFix, in a nutshell, refers to a sneaky technique that urges users to infect their own machine by following a series of instructions to copy, paste, and run malicious commands under the pretext of fixing an issue, completing a CAPTCHA verification, or registering their device.
Proofpoint said it first detected Kimsuky using ClickFix in January and February 2025 as part of a phishing campaign that targeted individuals in less than five organizations in the think tank sector.
“TA427 made initial contact with the target through a meeting request from a spoofed sender delivered to traditional TA427 targets working on North Korean affairs,” the Proofpoint research team said.
 |
| TA427 ClickFix infection chain |
“After a brief conversation to engage the target and build trust, as is often seen in TA427 activity, the attackers directed the target to an attacker-controlled site where they convinced the target to run a PowerShell command.”
The attack chain, the company explained, initiated a multi-stage sequence that culminated in the deployment of an open-source remote access trojan named Quasar RAT.
The email message purported to originate from a Japanese diplomat and asked the recipient to arrange a meeting with the Japanese ambassador to the United States. Over the course of the conversation, the threat actors sent a malicious PDF that contained a link to another document with a list of questions to be discussed during the meeting.
 |
| TA450 ClickFix infection chain |
Clicking on the link directed the victim to a fake landing page mimicking the Japanese Embassy website, which then prompted them to register their device by copying and pasting a command into the Windows Run dialog in order to download the questionnaire.
“The ClickFix PowerShell command fetches and executes a second remotely hosted PowerShell command, which displayed the decoy PDF referenced earlier in the chain (Questionnaire.pdf) to the user,” Proofpoint said. “The document claimed to be from the Ministry of Foreign Affairs in Japan and contained questions regarding nuclear proliferation and policy in Northeast Asia.”
The second PowerShell script is configured to create a Visual Basic Script that runs every 19 minutes by means of a scheduled task, which, in turn, downloads two batch scripts that create, decode, and execute the Quasar RAT payload. It’s worth pointing out that a variation of this attack chain was previously documented by Microsoft in February 2025.
 |
| UNK_RemoteRogue ClickFix infection chain |
The second nation-state group to latch on to ClickFix is the Iran-linked MuddyWater group that has taken advantage of the technique to legitimate remote monitoring and management (RMM) software like Level for maintaining persistent access.
The phishing emails, sent on November 13 and 14, 2024, coinciding with Microsoft’s Patch Tuesday updates, masqueraded as a security update from the tech giant, asking message recipients to follow ClickFix-style instructions to address a supposed vulnerability.
“The attackers deployed the ClickFix technique by persuading the target to first run PowerShell with administrator privileges, then copy and run a command contained in the email body,” Proofpoint said.
“The command was responsible for installing remote management and monitoring (RMM) software – in this case, Level – after which TA450 operators will abuse the RMM tool to conduct espionage and exfiltrate data from the target’s machine.”
The TA450 ClickFix campaign is said to target finance, government, health, education, and transportation sectors across the Middle East, with an emphasis on the United Arab Emirates (U.A.E.) and Saudi Arabia, as well as those located in Canada, Germany, Switzerland, and the United States.
Also observed boarding the ClickFix bandwagon is a suspected Russian group tracked as UNK_RemoteRogue towards the end of last year using lure emails sent from likely compromised Zimbra servers that included a link to a Microsoft Office document.
 |
| Timeline of standard campaigns and ClickFix sightings (Jul 2024 – Mar 2025) |
Visiting the link displayed a page containing instructions to copy code from the browser into their terminal, along with a YouTube video tutorial on how to run PowerShell. The PowerShell command was equipped with capabilities to run JavaScript that executed PowerShell code linked to the Empire command-and-control (C2) framework.
Proofpoint said the campaign sent 10 messages to individuals in two organizations associated with a major arms manufacturer in the defense industry. UNK_RemoteRogue has also been found to share infrastructure overlaps with another phishing campaign that targeted defense and aerospace entities with links to the ongoing conflict in Ukraine to harvest webmail credentials via fake login pages.
“Multiple examples of state-sponsored actors using ClickFix have shown not only the technique’s popularity among state actors, but also its use by various countries within weeks of one another,” the company said. “Although not a persistently used technique, it is likely that more threat actors from North Korea, Iran, and Russia have also tried and tested ClickFix or may in the near future.”
