A notorious North Korean threat group known as Kimsuky has adopted a sophisticated new social engineering tactic. This deceptive technique, called “ClickFix,” is used to trick users into executing malicious scripts on their own systems. It fools victims into believing they need to troubleshoot browser errors or verify some important security documents. This ultimately leads them to unknowingly participate in their own compromise through manual code execution by the user. The ClickFix methodology represents a significant evolution in the group’s psychological manipulation tactics used against their targets.
Victims encounter fake error messages that appear to originate from trusted sources like the Google Chrome web browser.
These messages prompt them to copy and paste seemingly innocent code into their PowerShell or command line consoles.
This specific approach effectively bypasses many traditional security measures by exploiting predictable human behavior rather than system vulnerabilities. Genians analysts identified multiple attack campaigns throughout 2025 where Kimsuky operatives successfully deployed these ClickFix tactics. The security researchers observed the group targeting high-value diplomacy and national security experts in South Korea.
The technical sophistication of Kimsuky’s ClickFix implementation demonstrates remarkable advancement in their various evasion techniques. These techniques are designed to circumvent modern security solutions and endpoint protection systems that may be in place. The malware employs reverse-order string obfuscation to conceal its malicious PowerShell commands from inspection by security tools. This specific technique stores malicious functionality in reversed strings which are then reconstructed at runtime by PowerShell.
The malware further obscures its operations by inserting random numerical sequences throughout its complex command and control structures.
Once the malware is successfully deployed, it establishes persistence through the creation of specifically scheduled system tasks. It maintains communication with its command-and-control servers using distinctive and identifiable Uniform Resource Identifier patterns. The group’s C2 infrastructure spans multiple countries and utilizes dynamic DNS services to avoid being taken down. A consistent version identifier has been observed across campaigns, confirming the connection to Kimsuky’s broader BabyShark operation. The attackers impersonate legitimate entities like government officials and news correspondents to establish trust with their targets.
Reference:
