TZUTC: -0500   
   MSGID: 1042.consprcy@1:2320/105 2c68fca8   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   State-sponsored actors spotted using ClickFix hacking tool developed by   
   criminals   
      
   Date:   
   Fri, 18 Apr 2025 16:03:00 +0000   
      
   Description:   
   Iranians, Russians, and North Koreans have been observed trying to trick    
   their targets into running shady commands on their computers.   
      
   FULL STORY   
      
   The ClickFix attack technique has gotten so popular that even state-sponsored   
   threat actors are using it, research from Proofpoint claims, having observed   
   at least three groups leveraging the method in the final quarter of 2024.    
      
   In an in-depth report , Proofpoint said it saw Kimsuky, MuddyWater,   
   UNK_RemoteRogue, and APT28, all using ClickFix in their attack chains.    
      
   Kimsuky is a known North Korean threat actor, MuddyWater is Iranian, while   
   UNK_RemoteRogue and APT28 are allegedly Russian. Aside from North Koreas   
   Lazarus Group, state-sponsored threat actors are mostly engaged in   
   cyber-espionage, stealing sensitive information from diplomats, critical   
   infrastructure organizations, think tanks, and similar organizations from   
   adversary states.    
      
   "The incorporation of ClickFix is not revolutionizing the campaigns carried   
   out by TA427, TA450, UNK_RemoteRogue, and TA422 but instead is replacing the   
   installation and execution stages in existing infection chains," Proofpoint   
   explained.    
      
   ClickFix has been making headlines for months now. It is a social engineering   
   tactic similar to ancient Youve got a virus popups that used to plague   
   internet sites two decades ago.    
      
   Originally, the popup would invite the visitor to download and run an   
   antivirus program which was, in fact, just malware .    
      
   When the industry addressed this attack by striking the infrastructure,    
   crooks pivoted to leaving a phone number for alleged IT support.    
      
   Victims calling this number would be tricked into installing remote desktop   
   programs, giving crooks the ability to download and run malware on their   
   devices.    
      
   The ClickFix attack takes this method and gives it a unique spin. It still   
   starts with a popup but sometimes the victims are also asked to complete a   
   CAPTCHA, verify their identity, or similar. The process doesnt require them   
   clicking on a download button, but instead asks them to copy and paste a   
   command in their Run program.    
      
   While it sounds far-fetched, its been quite successful, proven by   
   nation-states adoption, as well.    
      
    Via The Hacker News   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/state-sponsored-actors-spotted-using-cl   
   ickfix-hacking-tool-developed-by-criminals   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426