North Korean hackers are using ClickFix social engineering tactics to compromise devices and perform data exfiltration in a highly focused cyber espionage campaign.
The tactic involves displaying deceptive error prompts and luring the victim to execute threat actor-provided code to fix the problem.
However, it grants the attacker access to the victim’s device, allowing them to execute subsequent attacks. Besides DPRK hackers, other malicious actors have used the tactic to spread malware including info stealers to unsuspecting victims.
How North Korean hackers use ClickFix social engineering tactic to exfiltrate data
Microsoft warned that the ClickFix social engineering campaign kicks off with North Korean hackers masquerading as South Korean government officials to earn the victims’ trust.
After gradually establishing rapport with their targets, they send a malicious email with a PDF attachment. Attempting to open the attached document redirects the targeted individual to a fake device registration link instructing them to copy, paste, and execute threat actor-supplied code on PowerShell as an administrator.
When executed, the code installs a remote desktop tool, downloads a certificate with a hard-coded PIN, and registers the victim’s device on the threat actor-controlled server using the installed certificate, allowing subsequent access for data exfiltration.
Microsoft attributed the ClickFix social engineering campaign to North Korean hackers Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA). It primarily targets individuals working with international affairs organizations, non-governmental organizations (NGOs), government agencies and services, and the media in North America, South America, Europe, and East Asia.
Microsoft has directly notified the ClickFix social engineering campaign victims and instructed them on how to secure their accounts from takeover attempts. However, Microsoft has not publicly disclosed the number of victims and the nature of potentially stolen information during the cyber espionage campaign.
Evolving approach to cyber espionage
Although the social engineering campaign is limited in scope, the Redmond, Washington-based tech colossus said it highlights North Korean hackers’ evolving approach to conducting cyber espionage.
“While we have only observed the use of this tactic in limited attacks since January 2025, this shift is indicative of a new approach to compromising their traditional espionage targets,” Microsoft stated.
This is hardly the first time North Korean hackers have employed ClickFix social engineering tactics to compromise their victims. In December 2024, North Korean hackers were observed using the ClickFix tactic to install FERRET malware on macOS devices using fake job interview lures in the Contagious Interview campaign.
During the campaign, job applicants were provided links to communicate with a LinkedIn recruiter to complete a video assessment. When clicked, the links threw an error and instructed the targets to update their videoconferencing applications such as VCam or CameraAccess. That process involved copying and executing provided commands on the macOS Terminal app.
However, the commands dropped BeaverTail JavaScript malware that harvests cryptocurrency wallet credentials from browsers and installs a Python backdoor InvisibleFerret. Apple later updated its anti-malware protection tool to block Ferret malware variants.
Meanwhile, Microsoft has advised organizations to invest in anti-phishing solutions and train users about the dangers of clicking on suspicious links in unsolicited email messages.
