Skip to main content

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

Medium
Published: Wed Jul 02 2025 (07/02/2025, 07:14:55 UTC)
Source: AlienVault OTX General

Description

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extension of Kimsuky's ongoing 'BabyShark' threat activity. The tactic has evolved from VBS-based attacks to more sophisticated email-based and website-delivered methods. Attackers impersonate legitimate entities and use multilingual manuals to guide victims through seemingly harmless steps that actually execute malicious code. The group's infrastructure and linguistic patterns point to North Korean origin. To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.

AI-Powered Analysis

AILast updated: 07/02/2025, 07:54:37 UTC

Technical Analysis

The Kimsuky group, a North Korean state-sponsored threat actor, has developed a deceptive social engineering tactic known as 'ClickFix' to infiltrate targeted networks. This technique involves sending spear-phishing emails that impersonate legitimate entities and contain multilingual manuals or guides disguised as troubleshooting or security verification documents. Victims are tricked into following these seemingly benign instructions, which covertly execute malicious code, often leveraging PowerShell scripts and other obfuscated malware payloads. The campaign is an evolution of Kimsuky's previous 'BabyShark' operations, shifting from simpler VBS-based attacks to more sophisticated email and web-delivered infection vectors. The attackers employ a combination of tactics including process execution (T1053.005), service creation (T1543.003), spear-phishing with malicious links or attachments (T1566.001, T1566.002), impersonation (T1036), command and control over web protocols (T1102), script execution (T1059.001), data encoding (T1132), and user execution (T1189). The use of multilingual manuals increases the likelihood of deceiving diverse targets across different regions. The threat actor’s infrastructure and linguistic patterns confirm a North Korean origin. Detection and mitigation require advanced Endpoint Detection and Response (EDR) solutions capable of identifying obfuscated malware and anomalous behaviors indicative of this attack chain. The absence of known exploits in the wild suggests this is a targeted, espionage-driven campaign rather than a widespread worm or ransomware outbreak.

Potential Impact

For European organizations, the 'ClickFix' tactic poses a significant risk primarily to government agencies, defense contractors, research institutions, and critical infrastructure operators, which are typical targets of North Korean espionage groups. Successful compromise can lead to unauthorized access, data exfiltration, intellectual property theft, and potential disruption of services. The social engineering nature of the attack increases the risk of initial compromise through trusted communication channels, potentially bypassing perimeter defenses. The multilingual aspect of the manuals means that organizations across Europe, regardless of language, could be targeted. The use of sophisticated obfuscation and living-off-the-land techniques complicates detection, increasing dwell time and the potential for extensive lateral movement within networks. This can undermine confidentiality and integrity of sensitive data and may impact availability if attackers deploy destructive payloads or disrupt services as part of their objectives.

Mitigation Recommendations

European organizations should implement targeted mitigation strategies beyond generic advice: 1) Deploy and fine-tune EDR solutions with behavioral analytics to detect obfuscated scripts and anomalous process executions, especially those involving PowerShell and service creation. 2) Conduct regular, scenario-based phishing awareness training emphasizing the risks of following unsolicited troubleshooting or security verification instructions, including those presented in multiple languages. 3) Implement strict email filtering and authentication mechanisms such as DMARC, DKIM, and SPF to reduce spear-phishing success. 4) Enforce application whitelisting and restrict execution of scripts and macros from email attachments or untrusted sources. 5) Monitor network traffic for unusual outbound connections, particularly web-based C2 communications. 6) Maintain up-to-date threat intelligence feeds to recognize indicators of compromise related to Kimsuky infrastructure. 7) Establish incident response playbooks specifically addressing social engineering and living-off-the-land attack techniques to enable rapid containment and remediation.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.genians.co.kr/en/blog/threat_intelligence/suky-castle"]
Adversary
Kimsuky
Pulse Id
6864dc6fbb7b39eefb96ee85
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip103.149.98.248
ip118.193.69.151
ip172.86.111.75
ip1.223.129.234
ip103.149.98.247
ip106.243.157.158
ip112.74.194.45
ip115.92.4.123
ip118.194.228.184
ip121.179.161.231
ip162.0.229.227
ip210.179.30.213
ip211.170.73.245
ip38.180.157.197
ip65.254.248.151

Hash

ValueDescriptionCopy
hash12bfe00206b2e83c7ff79b657d3c56df
hash3297e3606d6466bc7f741a4df2b9e96a
hash40ce5cf6be259120d179f51993aec854
hash56233bac07f4f9c43585e485e70b6169
hash627b856884604880a5c009ebf7173efb
hash89a725b08ab0e8885fc03b543638be96
hash8c33e8439844c315b7b3f21b0c1633aa
hasha523bf5dca0f2a4ace0cf766d9225343
hashad6104a503b46bf6ea505fe8b3182970
hashca13c54987293ae7efc22b14e1153c1e
hashfc4c319d7940ad1b7c0477469420bd11

Domain

ValueDescriptionCopy
domainbikaro.store
domaincafe24.pro
domaincukumam.shop
domainkonamo.xyz
domainnaunsae.store
domainraedom.store
domaintemuco.xyz
domaintenelbox.store
domainaccount-profile.servepics.com
domainaccounts-porfile.serveirc.com
domainandrocl.csproject.org
domaine-securedrive.assembly.twoon.co.kr
domainkida.plusdocs.kro.kr
domainlogin.androclesproject.o-r.kr
domainmspro.kro.kr
domainmsprovider.menews.o-r.kr
domainnid.naver.rkfd.com
domainonline.lecture-site.kro.kr
domainsecure.drive.polices.site
domainsecuredrive-overseas-state.bit-albania.com
domainsecuredrive.fin-tech.com
domainsecuredrive.privatedns.org
domainsecuredrive.servehttp.com
domainsecuredrivelog.register.im
domainwww.online.check-computer.kro.kr

Threat ID: 6864e2316f40f0eb7291f913

Added to database: 7/2/2025, 7:39:29 AM

Last enriched: 7/2/2025, 7:54:37 AM

Last updated: 7/16/2025, 7:20:20 PM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats