Cybersecurity Alert – Kimusky Hackers Deploy ClickFix Tactic to Launch Malicious Scripts on Targeted Systems

In early 2025, cybersecurity experts sounded the alarm as the North Korean-linked Kimsuky group escalated its use of a deceptive technique known as “ClickFix.”

This tactic, first detailed by Proofpoint in April 2024 and further analyzed by Genians Security Center (GSC), leverages social engineering to trick users into executing malicious PowerShell scripts on their systems.

Unlike traditional malware delivery, ClickFix relies on psychological manipulation, disguising itself as troubleshooting guides or security verification procedures, to bypass security controls and exploit human trust.

The ClickFix campaign is considered an extension of Kimsuky’s notorious “BabyShark” threat activity, known for rapid adaptation and the integration of new attack vectors.

According to recent reports, state-sponsored actors from North Korea, Iran, and Russia have adopted ClickFix, underscoring its effectiveness and global reach.

Technical Analysis: Attack Chain and Obfuscation

The attack typically begins with a highly targeted spear-phishing email. For example, in January 2025, a South Korean diplomat received an email from an individual posing as a journalist.

After establishing trust through several exchanges, the attacker sent a malicious file disguised as an interview questionnaire.

The file contained a Visual Basic Script (VBS) that, when executed, would open a decoy document, create a hidden directory, download additional malware from a command-and-control (C2) server (e.g., konamo[.]xyz), and establish persistence via scheduled tasks.

The VBS script employed string obfuscation, inserting random numbers such as “7539518426” to evade detection. At runtime, these numbers were stripped out, restoring the original malicious command.

Evolution to ClickFix

Recognizing that security solutions increasingly detected VBS-based attacks, Kimsuky pivoted to the ClickFix tactic.

In this variant, targets receive a PDF “manual” and a text file (Code.txt) containing an “authentication code.”

The manual instructs the user to copy and paste this code into a PowerShell window, often under the guise of accessing a secure document or fixing a browser error.

The PowerShell command is obfuscated using reverse-order encoding. For instance:

powershell$req_value=-join $value.ToCharArray()[-1..-$value.Length]; cmd /c $req_value; exit;

The $value variable holds the core command in reverse, which is then reconstructed and executed. This approach makes the payload difficult to spot at a glance.

Web-Based ClickFix and Infrastructure

Kimsuky also deploys ClickFix via compromised or fake websites, such as job portals. Victims are prompted to install remote desktop tools or paste commands into PowerShell, granting attackers remote access.

Analysis has linked these operations to a broad infrastructure, including domains like raedom[.]store, kida, plusdocs, kro[.]kr, and securedrive.fin-tech[.]com.

The group utilizes multiple C2 servers, frequently rotating addresses and employing obfuscation to evade detection.

Defense Strategies and Indicators of Compromise

ClickFix’s reliance on user action makes it difficult for traditional antivirus solutions to detect. Experts recommend:

• User Awareness Training: Educate staff to treat any unsolicited request to run PowerShell commands with suspicion.
• EDR Solutions: Endpoint Detection and Response (EDR) tools, such as Genian EDR, can monitor and log PowerShell executions, identify abnormal behaviors, and visualize attack chains.
• Network Controls: Block known malicious domains and IP addresses (see IoCs below).
• Incident Response: Maintain up-to-date threat intelligence and collaborate with security vendors for real-time updates.

Indicators of Compromise (IoCs):

• MD5 Hashes: 56233bac07f4f9c43585e485e70b6169, a523bf5dca0f2a4ace0cf766d9225343, and others.
• C2 Domains: konamo[.]xyz, raedom[.]store, kida.plusdocs.kro[.]kr, securedrive.fin-tech[.]com, and more.

As Kimsuky and other state-sponsored actors refine their social engineering techniques, organizations must remain vigilant and invest in layered defenses to counter these evolving threats.