.jpg)
![What’s new in Android’s April 2025 Google System Updates [U: 4/18]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
State-sponsored actors spotted using ClickFix hacking tool developed by criminals
Iranians, Russians, and North Koreans have been observed trying to trick their targets into running shady commands on their computers.
- Proofpoint says multiple state-sponsored groups seen using ClickFix attack technique
- Russians, North Koreans, and Iranians all involved
- State-sponsored actors are mostly engaged in cyber-espionage
The ClickFix attack technique has gotten so popular that even state-sponsored threat actors are using it, research from Proofpoint claims, having observed at least three groups leveraging the method in the final quarter of 2024.
In an in-depth report, Proofpoint said it saw Kimsuky, MuddyWater, UNK_RemoteRogue, and APT28, all using ClickFix in their attack chains.
Kimsuky is a known North Korean threat actor, MuddyWater is Iranian, while UNK_RemoteRogue and APT28 are allegedly Russian. Aside from North Korea’s Lazarus Group, state-sponsored threat actors are mostly engaged in cyber-espionage, stealing sensitive information from diplomats, critical infrastructure organizations, think tanks, and similar organizations from adversary states.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
No revolution
"The incorporation of ClickFix is not revolutionizing the campaigns carried out by TA427, TA450, UNK_RemoteRogue, and TA422 but instead is replacing the installation and execution stages in existing infection chains," Proofpoint explained.
ClickFix has been making headlines for months now. It is a social engineering tactic similar to ancient “You’ve got a virus” popups that used to plague internet sites two decades ago.
Originally, the popup would invite the visitor to download and run an antivirus program which was, in fact, just malware.
When the industry addressed this attack by striking the infrastructure, crooks pivoted to leaving a phone number for alleged IT support.
Victims calling this number would be tricked into installing remote desktop programs, giving crooks the ability to download and run malware on their devices.
The ClickFix attack takes this method and gives it a unique spin. It still starts with a popup but sometimes the victims are also asked to “complete a CAPTCHA”, “verify their identity”, or similar. The process doesn’t require them clicking on a download button, but instead asks them to copy and paste a command in their Run program.
While it sounds far-fetched, it’s been quite successful, proven by nation-states’ adoption, as well.
Via The Hacker News
You might also like
- Microsoft SharePoint hijacked to spread Havoc malware
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
