The threat titled "Around the World in 90 Days: State-Sponsored Actors Try ClickFix" describes the observed adoption of the ClickFix social engineering technique by multiple state-sponsored threat actors originating from North Korea, Iran, and Russia. These groups, including TA427, TA450, UNK_RemoteRogue, and TA422, integrated ClickFix into their existing malware infection chains over a three-month period spanning late 2024 to early 2025. ClickFix is a social engineering method that relies on presenting targets with dialogue boxes containing instructions that prompt users to copy, paste, and execute malicious commands directly on their machines. This technique effectively replaces the traditional installation and execution stages of malware deployment, streamlining the infection process by leveraging user interaction to execute payloads. While ClickFix has been previously associated with cybercriminal groups, its adoption by state-sponsored actors marks a notable shift in tactics, demonstrating the fluidity and adaptability of these actors in evolving their operational methods. The technique is linked with tools such as Metasploit and QuasarRAT, indicating its use in deploying remote access trojans and exploitation frameworks. Despite the integration of ClickFix, the overall campaign strategies of these groups have not fundamentally changed, but the trend suggests a potential for broader adoption of this social engineering approach by other state-sponsored entities in the future. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The threat is classified as medium severity, reflecting moderate risk based on current knowledge.

For European organizations, the adoption of ClickFix by state-sponsored actors poses a significant risk primarily through social engineering vectors that exploit human factors rather than technical vulnerabilities. The technique's reliance on convincing users to execute malicious commands can lead to unauthorized remote access, data exfiltration, espionage, and potential disruption of critical systems. Given the involvement of advanced persistent threat (APT) groups from North Korea, Iran, and Russia, targets may include government agencies, critical infrastructure, defense contractors, and high-value private sector entities. The impact includes potential compromise of confidentiality through data theft, integrity through unauthorized system modifications, and availability if malware payloads disrupt operations. The ease of exploitation depends heavily on user susceptibility to social engineering, making organizations with less mature security awareness programs more vulnerable. The lack of required software vulnerabilities means traditional patch management offers limited protection, emphasizing the need for robust user training and endpoint monitoring. The medium severity rating reflects that while the threat is not currently causing widespread disruption, the potential for targeted, high-impact intrusions exists, especially if the technique is adopted more widely.

Mitigation should focus on strengthening defenses against social engineering and unauthorized command execution. Specific recommendations include: 1) Implementing comprehensive, scenario-based security awareness training that educates users on the risks of executing unsolicited commands and recognizing deceptive dialogue boxes. 2) Deploying endpoint protection solutions capable of detecting and blocking suspicious command-line activities and script execution initiated by user actions. 3) Utilizing application control or whitelisting to restrict execution of unauthorized scripts and commands, particularly those initiated via copy-paste from untrusted sources. 4) Enhancing monitoring and logging of command execution events to identify anomalous behavior indicative of ClickFix exploitation. 5) Establishing strict policies that prohibit users from executing commands or scripts received through unsolicited prompts or messages. 6) Conducting regular phishing simulation exercises tailored to mimic ClickFix-style social engineering to improve user resilience. 7) Employing network segmentation and least privilege principles to limit the lateral movement potential if initial compromise occurs. 8) Collaborating with threat intelligence providers to stay informed about evolving tactics and indicators related to ClickFix and associated APT groups.