216.73.216.86

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

· Published 02/07/2025 07:14 · Modified 02/07/2025 07:49

Export JSON

Essential information

Published
02/07/2025 07:14
Modified
02/07/2025 07:49
Tags
2025-07-02 clickfix powershell quasarrat social engineering spear-phishing
Related entities
40 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 7 others

Description

The Kimsuky group has adopted a deceptive tactic called '' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extension of Kimsuky's ongoing 'BabyShark' threat activity. The tactic has evolved from VBS-based attacks to more sophisticated email-based and website-delivered methods. Attackers impersonate legitimate entities and use multilingual manuals to guide victims through seemingly harmless steps that actually execute malicious code. The group's infrastructure and linguistic patterns point to North Korean origin. To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.

External references