Analysis of the threat case of kimsuky group using 'ClickFix' tactic
The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extension of Kimsuky's ongoing 'BabyShark' threat activity. The tactic has evolved from VBS-based attacks to more sophisticated email-based and website-delivered methods. Attackers impersonate legitimate entities and use multilingual manuals to guide victims through seemingly harmless steps that actually execute malicious code. The group's infrastructure and linguistic patterns point to North Korean origin. To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.
AI Analysis
Technical Summary
The Kimsuky group, a North Korean state-sponsored threat actor, has developed a deceptive social engineering tactic known as 'ClickFix' to infiltrate targeted networks. This technique involves sending spear-phishing emails that impersonate legitimate entities and contain multilingual manuals or guides disguised as troubleshooting or security verification documents. Victims are tricked into following these seemingly benign instructions, which covertly execute malicious code, often leveraging PowerShell scripts and other obfuscated malware payloads. The campaign is an evolution of Kimsuky's previous 'BabyShark' operations, shifting from simpler VBS-based attacks to more sophisticated email and web-delivered infection vectors. The attackers employ a combination of tactics including process execution (T1053.005), service creation (T1543.003), spear-phishing with malicious links or attachments (T1566.001, T1566.002), impersonation (T1036), command and control over web protocols (T1102), script execution (T1059.001), data encoding (T1132), and user execution (T1189). The use of multilingual manuals increases the likelihood of deceiving diverse targets across different regions. The threat actor’s infrastructure and linguistic patterns confirm a North Korean origin. Detection and mitigation require advanced Endpoint Detection and Response (EDR) solutions capable of identifying obfuscated malware and anomalous behaviors indicative of this attack chain. The absence of known exploits in the wild suggests this is a targeted, espionage-driven campaign rather than a widespread worm or ransomware outbreak.
Potential Impact
For European organizations, the 'ClickFix' tactic poses a significant risk primarily to government agencies, defense contractors, research institutions, and critical infrastructure operators, which are typical targets of North Korean espionage groups. Successful compromise can lead to unauthorized access, data exfiltration, intellectual property theft, and potential disruption of services. The social engineering nature of the attack increases the risk of initial compromise through trusted communication channels, potentially bypassing perimeter defenses. The multilingual aspect of the manuals means that organizations across Europe, regardless of language, could be targeted. The use of sophisticated obfuscation and living-off-the-land techniques complicates detection, increasing dwell time and the potential for extensive lateral movement within networks. This can undermine confidentiality and integrity of sensitive data and may impact availability if attackers deploy destructive payloads or disrupt services as part of their objectives.
Mitigation Recommendations
European organizations should implement targeted mitigation strategies beyond generic advice: 1) Deploy and fine-tune EDR solutions with behavioral analytics to detect obfuscated scripts and anomalous process executions, especially those involving PowerShell and service creation. 2) Conduct regular, scenario-based phishing awareness training emphasizing the risks of following unsolicited troubleshooting or security verification instructions, including those presented in multiple languages. 3) Implement strict email filtering and authentication mechanisms such as DMARC, DKIM, and SPF to reduce spear-phishing success. 4) Enforce application whitelisting and restrict execution of scripts and macros from email attachments or untrusted sources. 5) Monitor network traffic for unusual outbound connections, particularly web-based C2 communications. 6) Maintain up-to-date threat intelligence feeds to recognize indicators of compromise related to Kimsuky infrastructure. 7) Establish incident response playbooks specifically addressing social engineering and living-off-the-land attack techniques to enable rapid containment and remediation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Finland
Indicators of Compromise
- ip: 103.149.98.248
- ip: 118.193.69.151
- ip: 172.86.111.75
- hash: 12bfe00206b2e83c7ff79b657d3c56df
- hash: 3297e3606d6466bc7f741a4df2b9e96a
- hash: 40ce5cf6be259120d179f51993aec854
- hash: 56233bac07f4f9c43585e485e70b6169
- hash: 627b856884604880a5c009ebf7173efb
- hash: 89a725b08ab0e8885fc03b543638be96
- hash: 8c33e8439844c315b7b3f21b0c1633aa
- hash: a523bf5dca0f2a4ace0cf766d9225343
- hash: ad6104a503b46bf6ea505fe8b3182970
- hash: ca13c54987293ae7efc22b14e1153c1e
- hash: fc4c319d7940ad1b7c0477469420bd11
- ip: 1.223.129.234
- ip: 103.149.98.247
- ip: 106.243.157.158
- ip: 112.74.194.45
- ip: 115.92.4.123
- ip: 118.194.228.184
- ip: 121.179.161.231
- ip: 162.0.229.227
- ip: 210.179.30.213
- ip: 211.170.73.245
- ip: 38.180.157.197
- ip: 65.254.248.151
- domain: bikaro.store
- domain: cafe24.pro
- domain: cukumam.shop
- domain: konamo.xyz
- domain: naunsae.store
- domain: raedom.store
- domain: temuco.xyz
- domain: tenelbox.store
- domain: account-profile.servepics.com
- domain: accounts-porfile.serveirc.com
- domain: androcl.csproject.org
- domain: e-securedrive.assembly.twoon.co.kr
- domain: kida.plusdocs.kro.kr
- domain: login.androclesproject.o-r.kr
- domain: mspro.kro.kr
- domain: msprovider.menews.o-r.kr
- domain: nid.naver.rkfd.com
- domain: online.lecture-site.kro.kr
- domain: secure.drive.polices.site
- domain: securedrive-overseas-state.bit-albania.com
- domain: securedrive.fin-tech.com
- domain: securedrive.privatedns.org
- domain: securedrive.servehttp.com
- domain: securedrivelog.register.im
- domain: www.online.check-computer.kro.kr
Analysis of the threat case of kimsuky group using 'ClickFix' tactic
Description
The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extension of Kimsuky's ongoing 'BabyShark' threat activity. The tactic has evolved from VBS-based attacks to more sophisticated email-based and website-delivered methods. Attackers impersonate legitimate entities and use multilingual manuals to guide victims through seemingly harmless steps that actually execute malicious code. The group's infrastructure and linguistic patterns point to North Korean origin. To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.
AI-Powered Analysis
Technical Analysis
The Kimsuky group, a North Korean state-sponsored threat actor, has developed a deceptive social engineering tactic known as 'ClickFix' to infiltrate targeted networks. This technique involves sending spear-phishing emails that impersonate legitimate entities and contain multilingual manuals or guides disguised as troubleshooting or security verification documents. Victims are tricked into following these seemingly benign instructions, which covertly execute malicious code, often leveraging PowerShell scripts and other obfuscated malware payloads. The campaign is an evolution of Kimsuky's previous 'BabyShark' operations, shifting from simpler VBS-based attacks to more sophisticated email and web-delivered infection vectors. The attackers employ a combination of tactics including process execution (T1053.005), service creation (T1543.003), spear-phishing with malicious links or attachments (T1566.001, T1566.002), impersonation (T1036), command and control over web protocols (T1102), script execution (T1059.001), data encoding (T1132), and user execution (T1189). The use of multilingual manuals increases the likelihood of deceiving diverse targets across different regions. The threat actor’s infrastructure and linguistic patterns confirm a North Korean origin. Detection and mitigation require advanced Endpoint Detection and Response (EDR) solutions capable of identifying obfuscated malware and anomalous behaviors indicative of this attack chain. The absence of known exploits in the wild suggests this is a targeted, espionage-driven campaign rather than a widespread worm or ransomware outbreak.
Potential Impact
For European organizations, the 'ClickFix' tactic poses a significant risk primarily to government agencies, defense contractors, research institutions, and critical infrastructure operators, which are typical targets of North Korean espionage groups. Successful compromise can lead to unauthorized access, data exfiltration, intellectual property theft, and potential disruption of services. The social engineering nature of the attack increases the risk of initial compromise through trusted communication channels, potentially bypassing perimeter defenses. The multilingual aspect of the manuals means that organizations across Europe, regardless of language, could be targeted. The use of sophisticated obfuscation and living-off-the-land techniques complicates detection, increasing dwell time and the potential for extensive lateral movement within networks. This can undermine confidentiality and integrity of sensitive data and may impact availability if attackers deploy destructive payloads or disrupt services as part of their objectives.
Mitigation Recommendations
European organizations should implement targeted mitigation strategies beyond generic advice: 1) Deploy and fine-tune EDR solutions with behavioral analytics to detect obfuscated scripts and anomalous process executions, especially those involving PowerShell and service creation. 2) Conduct regular, scenario-based phishing awareness training emphasizing the risks of following unsolicited troubleshooting or security verification instructions, including those presented in multiple languages. 3) Implement strict email filtering and authentication mechanisms such as DMARC, DKIM, and SPF to reduce spear-phishing success. 4) Enforce application whitelisting and restrict execution of scripts and macros from email attachments or untrusted sources. 5) Monitor network traffic for unusual outbound connections, particularly web-based C2 communications. 6) Maintain up-to-date threat intelligence feeds to recognize indicators of compromise related to Kimsuky infrastructure. 7) Establish incident response playbooks specifically addressing social engineering and living-off-the-land attack techniques to enable rapid containment and remediation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.genians.co.kr/en/blog/threat_intelligence/suky-castle"]
- Adversary
- Kimsuky
- Pulse Id
- 6864dc6fbb7b39eefb96ee85
- Threat Score
- null
Indicators of Compromise
Ip
Value | Description | Copy |
---|---|---|
ip103.149.98.248 | — | |
ip118.193.69.151 | — | |
ip172.86.111.75 | — | |
ip1.223.129.234 | — | |
ip103.149.98.247 | — | |
ip106.243.157.158 | — | |
ip112.74.194.45 | — | |
ip115.92.4.123 | — | |
ip118.194.228.184 | — | |
ip121.179.161.231 | — | |
ip162.0.229.227 | — | |
ip210.179.30.213 | — | |
ip211.170.73.245 | — | |
ip38.180.157.197 | — | |
ip65.254.248.151 | — |
Hash
Value | Description | Copy |
---|---|---|
hash12bfe00206b2e83c7ff79b657d3c56df | — | |
hash3297e3606d6466bc7f741a4df2b9e96a | — | |
hash40ce5cf6be259120d179f51993aec854 | — | |
hash56233bac07f4f9c43585e485e70b6169 | — | |
hash627b856884604880a5c009ebf7173efb | — | |
hash89a725b08ab0e8885fc03b543638be96 | — | |
hash8c33e8439844c315b7b3f21b0c1633aa | — | |
hasha523bf5dca0f2a4ace0cf766d9225343 | — | |
hashad6104a503b46bf6ea505fe8b3182970 | — | |
hashca13c54987293ae7efc22b14e1153c1e | — | |
hashfc4c319d7940ad1b7c0477469420bd11 | — |
Domain
Value | Description | Copy |
---|---|---|
domainbikaro.store | — | |
domaincafe24.pro | — | |
domaincukumam.shop | — | |
domainkonamo.xyz | — | |
domainnaunsae.store | — | |
domainraedom.store | — | |
domaintemuco.xyz | — | |
domaintenelbox.store | — | |
domainaccount-profile.servepics.com | — | |
domainaccounts-porfile.serveirc.com | — | |
domainandrocl.csproject.org | — | |
domaine-securedrive.assembly.twoon.co.kr | — | |
domainkida.plusdocs.kro.kr | — | |
domainlogin.androclesproject.o-r.kr | — | |
domainmspro.kro.kr | — | |
domainmsprovider.menews.o-r.kr | — | |
domainnid.naver.rkfd.com | — | |
domainonline.lecture-site.kro.kr | — | |
domainsecure.drive.polices.site | — | |
domainsecuredrive-overseas-state.bit-albania.com | — | |
domainsecuredrive.fin-tech.com | — | |
domainsecuredrive.privatedns.org | — | |
domainsecuredrive.servehttp.com | — | |
domainsecuredrivelog.register.im | — | |
domainwww.online.check-computer.kro.kr | — |
Threat ID: 6864e2316f40f0eb7291f913
Added to database: 7/2/2025, 7:39:29 AM
Last enriched: 7/2/2025, 7:54:37 AM
Last updated: 7/16/2025, 7:20:20 PM
Views: 21
Related Threats
ThreatFox IOCs for 2025-07-17
MediumPowerful MaaS On the Prowl for Credentials and Crypto Assets
MediumPhish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting
MediumMaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
MediumDNS: A Small but Effective C2 system
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.