Kimsuky Hackers Use ClickFix Social Engineering to Deploy Malware via PowerShell | Full Analysis 2025

Table of Contents

• What is Linux 6.16-rc4 and Why Does it Matter?
• What is ClickFix?
• How the Attack Works – Step-by-Step
• Technical Breakdown of the Script
• Evolution of the Attack Campaign
• Persistence and Command Control (C2)
• Why ClickFix Is Dangerous
• Indicators of Compromise (IOCs)
• Defending Against ClickFix
• Conclusion
•  Frequently Asked Questions (FAQs)

Introduction

In 2025, cybercrime has reached new levels of sophistication, especially in the realm of social engineering. One particularly alarming development is the use of a deceptive tactic called ClickFix, employed by the infamous North Korean APT group Kimsuky (APT43). This method cleverly manipulates users into executing malicious scripts on their own devices, bypassing traditional antivirus and endpoint security systems.

This blog explores the ClickFix attack methodology, its psychological exploitation techniques, technical workings, campaign evolution, and the steps you can take to defend against it.

What is ClickFix?

ClickFix is a social engineering technique first discovered by researchers at Proofpoint in April 2024. It targets human behavior rather than software vulnerabilities. Kimsuky lures users into manually copy-pasting PowerShell commands into their consoles under the guise of resolving browser or system errors.

These scripts are often obfuscated and disguised as legitimate fixes, making the victim unknowingly initiate the attack themselves. The malware deployed through ClickFix is commonly tied to the BabyShark malware family, known for its persistence and stealth.

How the Attack Works – Step-by-Step

1. Initial Contact: Spear Phishing

Kimsuky delivers malicious content through phishing emails or fake websites posing as government agencies, news organizations, or security firms. The lure often involves a password-protected ZIP file or a link to a fake web portal.

2. Deception via Fake Pop-Ups

Victims who open the file or visit the spoofed site are presented with a fake browser error message. It appears to be from Chrome or Edge and suggests running a “fix” via PowerShell.

Example:

“Certificate error detected. Please copy the below command and run it in your PowerShell terminal to continue.”

3. Execution by the User

The user copies the provided PowerShell snippet, pastes it into their terminal, and unknowingly executes a malicious script. The script is heavily obfuscated and may use reverse strings, dummy characters, and hidden payloads.

Technical Breakdown of the Script

The following is a simplified version of what the obfuscated PowerShell code looks like:

$value="tixe&"'atad-mrof/trapitlum' epyTtnetnoC-"
$req_value=-join $value.ToCharArray()[-1..-$value.Length];
cmd /c $req_value;exit;

Obfuscation Tactics:

• Reverse-order string: Conceals intent by reversing commands.

• Random digits: Numbers like 7539518426 are inserted and removed dynamically.

• In-memory execution: Avoids writing payloads to disk.

Evolution of the Attack Campaign

The ClickFix method has evolved significantly over the past year:

Persistence and Command Control (C2)

Once executed, the malware:

• Creates scheduled tasks for persistence.

• Contacts C2 servers like konamo.xyz and raedom.store.

• Uses URIs like /demo.php?ccs=cin and /cout for two-way communication.

• Registers a unique version identifier:

  Version: RE4T-GT7J-KJ90-JB6F-VG5F
  

Why ClickFix Is Dangerous

ClickFix bypasses antivirus and endpoint detection tools by:

• Tricking the user into executing the code.

• Running code in-memory without triggering file-based detection.

• Using social trust, not software vulnerabilities.

The success of ClickFix highlights the increasing psychological sophistication of modern threat actors like Kimsuky, who combine technical evasion with believable user manipulation.

Indicators of Compromise (IOCs)

Defending Against ClickFix

 Endpoint Hardening

• Disable PowerShell execution for non-admins.

• Enable PowerShell Constrained Language Mode.

• Use application whitelisting (AppLocker, WDAC).

 User Awareness

• Educate users on social engineering tactics.

• Warn users: Never paste code from websites into PowerShell.

 Security Monitoring

• Alert on suspicious PowerShell usage.

• Monitor scheduled task creation.

• Look for C2 domain resolution attempts in DNS logs.

 Advanced Threat Detection

• Use sandboxing to analyze password-protected ZIP files.

• Implement behavioral analysis on endpoint activity.

Conclusion

ClickFix demonstrates that human behavior is still the weakest link in the cybersecurity chain. Kimsuky’s shift to “self-install” malware tactics shows how attackers are evolving beyond traditional exploits into psychological exploitation.

To stay safe, organizations must:

• Harden their systems.

• Continuously train users.

• Monitor for even the subtlest signs of compromise.

As the line between legitimate prompts and malicious tricks blurs, zero trust must extend beyond networks and devices — to human interaction itself.

Stay informed. Stay alert. Cybersecurity is no longer just about code — it’s about people.

FAQ:

What is the ClickFix technique used by Kimsuky hackers?

ClickFix is a social engineering technique where users are tricked into copying and pasting malicious PowerShell scripts under the guise of fixing browser errors.

Who are the Kimsuky hackers?

Kimsuky is a North Korean advanced persistent threat (APT) group, also known as APT43, known for cyber-espionage campaigns against governments, journalists, and defense sectors.

How does the ClickFix attack start?

It typically begins with spear-phishing emails or fake websites that prompt users to run PowerShell code as a “fix” for fabricated browser issues.

Why is ClickFix difficult to detect?

ClickFix relies on human behavior rather than software vulnerabilities, making it harder for antivirus and endpoint detection systems to flag.

What makes ClickFix a social engineering attack?

It manipulates victims into executing the malware themselves, often believing it’s part of legitimate troubleshooting steps.

What kind of payloads does ClickFix deliver?

The attack usually deploys PowerShell-based spyware, such as BabyShark, which steals data and maintains persistence.

Which sectors have been targeted by Kimsuky using ClickFix?

Mainly government, diplomatic, defense, and research institutions—particularly in South Korea.

What programming techniques are used in ClickFix scripts?

The scripts use reverse string obfuscation, dynamic decryption, and runtime command reconstruction to hide malicious content.

What are some examples of fake error messages used in ClickFix?

Victims might see messages like “Google Chrome security error” or “Certificate failed to load, please run the following fix.”

Can antivirus detect PowerShell-based ClickFix malware?

Often no, because the script executes in memory and is disguised as legitimate activity.

What is BabyShark malware?

It’s a modular spyware toolkit used by Kimsuky that can log keystrokes, take screenshots, steal files, and communicate with command and control (C2) servers.

What languages are ClickFix lures available in?

Campaigns have been observed in English, Korean, Russian, French, German, Japanese, and Chinese.

What are some of the C2 domains used in ClickFix campaigns?

Examples include konamo.xyz and raedom.store.

What command and control (C2) patterns are used in these attacks?

The malware uses URLs like /demo.php?ccs=cin and /cout to send and receive commands from the C2 server.

How does ClickFix achieve persistence on a victim machine?

By creating scheduled tasks that ensure the malware runs on reboot or at scheduled intervals.

Can ClickFix be used for data exfiltration?

Yes, once installed, the malware can extract files, keystrokes, and screenshots to the attacker’s remote server.

What operating systems are vulnerable to ClickFix?

Primarily Windows systems, as the malicious code is executed via Windows PowerShell.

What obfuscation techniques are used in the attack?

ClickFix uses reverse strings, random number insertion, and PowerShell array manipulations to hide the payload.

How can IT admins detect ClickFix in their environment?

By monitoring unusual PowerShell executions, task scheduler changes, and connections to known malicious domains.

What is the version marker found in ClickFix malware samples?

A common version ID found is RE4T-GT7J-KJ90-JB6F-VG5F.

How is ClickFix related to the BabyShark campaign?

ClickFix is the delivery method used in ongoing BabyShark malware campaigns led by Kimsuky.

Why is this attack considered advanced social engineering?

Because it tricks users into running malware themselves, bypassing security tools through psychological manipulation.

What kind of fake websites are used to deploy ClickFix?

Sites impersonating news agencies, government portals, or cybersecurity tools are used to gain user trust.

Is ClickFix a targeted or widespread campaign?

ClickFix is mostly used in highly targeted spear-phishing campaigns aimed at specific organizations or individuals.

What are the recommended defenses against ClickFix?

Restrict PowerShell use, implement application whitelisting, train users on phishing, and monitor suspicious scripts.

Does Microsoft Defender block ClickFix?

Not always, especially when the scripts are obfuscated and executed by the user.

What is reverse-order string obfuscation in PowerShell?

It's a method where malicious commands are written backward and then reassembled during execution to hide their intent.

What should you do if you suspect a ClickFix infection?

Immediately isolate the system, collect forensic data, and scan for persistence mechanisms like scheduled tasks and suspicious domains.

How is ClickFix different from traditional malware attacks?

Unlike traditional exploits, ClickFix requires no vulnerability—only user deception and social engineering.

Is there a patch or fix available for ClickFix?

There’s no specific patch since it exploits human behavior, not a software flaw. Protection relies on policy enforcement and awareness.