Analysis of the threat case of kimsuky group using 'ClickFix' tactic
Essential information
- Published
- 02/07/2025 07:14
- Modified
- 02/07/2025 07:49
- Tags
- 2025-07-02 clickfix powershell quasarrat social engineering spear-phishing
- Related entities
- 40 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 7 others
Description
The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extension of Kimsuky's ongoing 'BabyShark' threat activity. The tactic has evolved from VBS-based attacks to more sophisticated email-based and website-delivered methods. Attackers impersonate legitimate entities and use multilingual manuals to guide victims through seemingly harmless steps that actually execute malicious code. The group's infrastructure and linguistic patterns point to North Korean origin. To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.