Analysis of the threat case of kimsuky group using 'ClickFix' tactic
Contents
◈ Key Findings
- ClickFix is a deceptive tactic that tricks users into unknowingly participating in the attack chain themselves.
- It disguises itself as troubleshooting guides for specific errors or as instructions for security document verification procedures.
- The campaign is believed to be an extension of Kimsuky’s ongoing “BabyShark” threat activity.
- To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.
1. Overview
○ In early 2025, the Genians Security Center (GSC) identified attack activity involving “ClickFix,” a tactic used by the Kimsuky group. This method, known as ClickFix, was originally introduced in April 2024 by researchers at the U.S. cybersecurity company Proofpoint in their report “From Clipboard to Compromise: A PowerShell Self-Pwn”.
○ In that case, users who visited a compromised website were shown a fake error message designed to look like it came from Google Chrome. The message tricked users into thinking they needed to …
- ClickFix is a deceptive tactic that tricks users into unknowingly participating in the attack chain themselves.
- It disguises itself as troubleshooting guides for specific errors or as instructions for security document verification procedures.
- The campaign is believed to be an extension of Kimsuky’s ongoing “BabyShark” threat activity.
- To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.
1. Overview
○ In early 2025, the Genians Security Center (GSC) identified attack activity involving “ClickFix,” a tactic used by the Kimsuky group. This method, known as ClickFix, was originally introduced in April 2024 by researchers at the U.S. cybersecurity company Proofpoint in their report “From Clipboard to Compromise: A PowerShell Self-Pwn”.
○ In that case, users who visited a compromised website were shown a fake error message designed to look like it came from Google Chrome. The message tricked users into thinking they needed to …
IoC
http://online.lecture-site.kro.kr
http://account-profile.servepics.com
http://secure.drive.polices.site
http://kida.plusdocs.kro.kr
http://konamo.xyz
http://securedrive.fin-tech.com
http://103.149.98.247/vs/t1/d.php?newpa=comline&wpn=soofer
http://accounts-porfile.serveirc.com
http://210.179.30.213
http://103.149.98.247
http://nid.naver.rkfd.com
http://mspro.kro.kr
http://1.223.129.234
http://내도메인.
http://securedrive.servehttp.com
http://112.74.194.45
http://121.179.161.231
http://115.92.4.123
http://msprovider.menews.o-r.kr
http://bikaro.store
http://voanews.co.com
http://cafe24.pro
http://naunsae.store
http://172.86.111.75
http://www.online.check-computer.kro.kr
http://tenelbox.store
http://androcl.csproject.org/happy_0320/d.php?newpa=comline&&wpn=jeffrey
http://103.149.98.248
http://login.androclesproject.o-r.kr
http://raedom.store
http://118.194.228.184
http://106.243.157.158
http://androcl.csproject.org
http://118.193.69.151
http://103.149.98.247/vs/tA/d.php?newpa=comline&wpn=aaa
http://securedrive.privatedns.org
http://211.170.73.245
http://securedrivelog.register.im
http://cyber.lecture.site.online-driver.kro.k
http://38.180.157.197
http://securedrive-overseas-state.bit-albania.com
http://157.7.184.11
http://103.149.98.247/vs/tt/d.php?newpa=comline&wpn=soofer
http://e-securedrive.assembly.twoon.co.kr
http://162.0.229.227
http://cukumam.shop
http://65.254.248.151
http://temuco.xyz
103.149.98.248
157.7.184.11
38.180.157.197
106.243.157.158
112.74.194.45
103.149.98.247
172.86.111.75
121.179.161.231
1.223.129.234
210.179.30.213
118.193.69.151
211.170.73.245
118.194.228.184
115.92.4.123
65.254.248.151
162.0.229.227
[email protected]
627b856884604880a5c009ebf7173efb
913fe4236ca5e34879d2a3228da6b9c6
8c33e8439844c315b7b3f21b0c1633aa
56233bac07f4f9c43585e485e70b6169
8ff155a2962c77e9da05bd0476af36be
fcde319b752cacec40ffba130067de0d
0a9c22079c898fc112e67ce1caff8f54
89a725b08ab0e8885fc03b543638be96
ad6104a503b46bf6ea505fe8b3182970
ca13c54987293ae7efc22b14e1153c1e
3297e3606d6466bc7f741a4df2b9e96a
fc4c319d7940ad1b7c0477469420bd11
bf795a376233032d05766a396b3d6e08
40ce5cf6be259120d179f51993aec854
a523bf5dca0f2a4ace0cf766d9225343
d10208c32fbbb5cacbd2097fc0dcd444
12bfe00206b2e83c7ff79b657d3c56df
http://account-profile.servepics.com
http://secure.drive.polices.site
http://kida.plusdocs.kro.kr
http://konamo.xyz
http://securedrive.fin-tech.com
http://103.149.98.247/vs/t1/d.php?newpa=comline&wpn=soofer
http://accounts-porfile.serveirc.com
http://210.179.30.213
http://103.149.98.247
http://nid.naver.rkfd.com
http://mspro.kro.kr
http://1.223.129.234
http://내도메인.
http://securedrive.servehttp.com
http://112.74.194.45
http://121.179.161.231
http://115.92.4.123
http://msprovider.menews.o-r.kr
http://bikaro.store
http://voanews.co.com
http://cafe24.pro
http://naunsae.store
http://172.86.111.75
http://www.online.check-computer.kro.kr
http://tenelbox.store
http://androcl.csproject.org/happy_0320/d.php?newpa=comline&&wpn=jeffrey
http://103.149.98.248
http://login.androclesproject.o-r.kr
http://raedom.store
http://118.194.228.184
http://106.243.157.158
http://androcl.csproject.org
http://118.193.69.151
http://103.149.98.247/vs/tA/d.php?newpa=comline&wpn=aaa
http://securedrive.privatedns.org
http://211.170.73.245
http://securedrivelog.register.im
http://cyber.lecture.site.online-driver.kro.k
http://38.180.157.197
http://securedrive-overseas-state.bit-albania.com
http://157.7.184.11
http://103.149.98.247/vs/tt/d.php?newpa=comline&wpn=soofer
http://e-securedrive.assembly.twoon.co.kr
http://162.0.229.227
http://cukumam.shop
http://65.254.248.151
http://temuco.xyz
103.149.98.248
157.7.184.11
38.180.157.197
106.243.157.158
112.74.194.45
103.149.98.247
172.86.111.75
121.179.161.231
1.223.129.234
210.179.30.213
118.193.69.151
211.170.73.245
118.194.228.184
115.92.4.123
65.254.248.151
162.0.229.227
[email protected]
627b856884604880a5c009ebf7173efb
913fe4236ca5e34879d2a3228da6b9c6
8c33e8439844c315b7b3f21b0c1633aa
56233bac07f4f9c43585e485e70b6169
8ff155a2962c77e9da05bd0476af36be
fcde319b752cacec40ffba130067de0d
0a9c22079c898fc112e67ce1caff8f54
89a725b08ab0e8885fc03b543638be96
ad6104a503b46bf6ea505fe8b3182970
ca13c54987293ae7efc22b14e1153c1e
3297e3606d6466bc7f741a4df2b9e96a
fc4c319d7940ad1b7c0477469420bd11
bf795a376233032d05766a396b3d6e08
40ce5cf6be259120d179f51993aec854
a523bf5dca0f2a4ace0cf766d9225343
d10208c32fbbb5cacbd2097fc0dcd444
12bfe00206b2e83c7ff79b657d3c56df