Around the World in 90 Days: State-Sponsored Actors Try ClickFix

2025-04-17 Proofpoint

https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix

Thumbnail for Around the World in 90 Days: State-Sponsored Actors Try ClickFix

Proofpoint observed TA427, overlapping with Kimsuky or Emerald Sleet, adding ClickFix social engineering to its North Korea affairs targeting in January and February 2025. Operators used spoofed meeting-request conversations, benign and malicious PDF lures, attacker-controlled secure-drive pages, and pop-up instructions that pushed victims to paste and run PowerShell commands. The DPRK-linked chain fetched remote PowerShell, showed a decoy questionnaire about Northeast Asia nuclear policy, and in one case continued through VBS and batch scripts to QuasarRAT. The report frames ClickFix as a cybercrime technique being adopted by state-sponsored groups, with TA427 replacing parts of its usual execution chain rather than changing its target set.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN securedrive.fin-tech.com 2025-04-17 2025-07-01
DOMAIN accounts-porfile.serveirc.com 2025-04-17 2025-07-01
DOMAIN account-profile.servepics.com 2025-04-17 2025-07-01
DOMAIN securedrive.servehttp.com 2025-04-17 2025-07-01
DOMAIN securedrive.privatedns.org 2025-04-17 2025-07-01
IPv4 210.179.30.213 2025-04-17 2025-07-01
IPv4 115.92.4.123 2025-04-17 2025-07-01
IPv4 118.194.228.184 2025-04-17 2025-07-01
IPv4 121.179.161.231 2025-04-17 2025-07-01
IPv4 172.86.111.75 2025-04-17 2025-07-01
IPv4 38.180.157.197 2025-04-17 2025-07-01
DOMAIN bit-albania.com 2023-08-01 2025-07-01
HASH 78aa2335d3e656256c50f1f2c544b32… 2025-04-17 2025-04-17
HASH 0ff9c4bba39d6f363b9efdfa6b54127… 2025-04-17 2025-04-17
HASH bfb11abb82ab4c788156df862a5cf4f… 2025-04-17 2025-04-17
HASH 07a45c7a436258aa81ed2e770a23335… 2025-04-17 2025-04-17
HASH e410ffadb3f5b6ca82cece8bce4fb37… 2025-04-17 2025-04-17
HASH 8a8c57eedca1bd03308198a87cae797… 2025-04-17 2025-04-17
HASH 18ee1393fc2b2c1d56d4d8f94efad58… 2025-04-17 2025-04-17
HASH 85db55aab78103f7c2d536ce79e923c… 2025-04-17 2025-04-17
HASH 06816634fb019b6ed276d36f414f3b3… 2025-04-17 2025-04-17
HASH f9536b1d798bee3af85b9700684b41d… 2025-04-17 2025-04-17
EMAIL [email protected] 2025-04-17 2025-04-17
EMAIL [email protected] 2025-04-17 2025-04-17
URL https://securedrive.fin-tech.co… 2025-04-17 2025-04-17
URL https://securedrive.fin-tech.co… 2025-04-17 2025-04-17
URL https://securedrive.fin-tech.co… 2025-04-17 2025-04-17
URL https://securedrive.root.sx:844… 2025-04-17 2025-04-17
URL https://securedrive.root.sx:844… 2025-04-17 2025-04-17
URL https://securedrive.fin-tech.co… 2025-04-17 2025-04-17
URL https://securedrive.fin-tech.co… 2025-04-17 2025-04-17
URL https://securedrive.root.sx:844… 2025-04-17 2025-04-17
URL https://securedrive.fin-tech.co… 2025-04-17 2025-04-17
URL https://office.rsvp/fin?documen… 2025-04-17 2025-04-17
DOMAIN securedrive.networkguru.com 2025-04-17 2025-04-17
DOMAIN e-securedrive.mofa.mtomtech.co.… 2025-04-17 2025-04-17
DOMAIN securedrive.opticalize.com 2025-04-17 2025-04-17
DOMAIN securedrive-mofa.servehttp.com 2025-04-17 2025-04-17
DOMAIN accounts-myservice.servepics.com 2025-04-17 2025-04-17
DOMAIN myaccounts-profile.servehttp.com 2025-04-17 2025-04-17
DOMAIN securedrive.dob.jp 2025-04-17 2025-04-17
DOMAIN login-accounts.servehttp.com 2025-04-17 2025-04-17
DOMAIN ukrtelecom.com 2025-04-17 2025-04-17
DOMAIN freedrive.servehttp.com 2025-04-17 2025-04-17
DOMAIN ukrtelcom.com 2025-04-17 2025-04-17
DOMAIN securedrive.netsecgroup.com 2025-04-17 2025-04-17
DOMAIN undocs.myvnc.com 2025-04-17 2025-04-17
DOMAIN drive.us-dos.securitel.com 2025-04-17 2025-04-17
DOMAIN securedrive.root.sx 2025-04-17 2025-04-17
DOMAIN raedom.store 2025-04-17 2025-04-17
DOMAIN undocs.servehttp.com 2025-04-17 2025-04-17
IPv4 221.144.93.250 2025-04-17 2025-04-17
IPv4 80.66.66.197 2025-04-17 2025-04-17
IPv4 5.231.4.94 2025-04-17 2025-04-17
IPv4 14.34.85.86 2025-04-17 2025-04-17
IPv4 121.179.161.230 2025-04-17 2025-04-17

Related Actors

Related Reports

« Back