Analysis Summary

The North Korean state-sponsored threat group Kimsuky has significantly advanced its social engineering tactics through a method known as “ClickFix”, first disclosed by a Researcher in April 2024. This technique manipulates users into executing malicious PowerShell commands by disguising them as browser troubleshooting steps or document verification procedures. By mimicking trusted sources like Google Chrome, ClickFix prompts victims to manually copy and paste obfuscated code into their system consoles, bypassing traditional endpoint protection tools that typically detect automated or technical exploits.

Throughout 2025, Analysts observed multiple ClickFix-based campaigns targeting high-profile individuals, particularly those involved in diplomacy and national security. These attacks leveraged spear-phishing emails and impersonated credible entities, including government officials and journalists, to gain the victims’ trust. The technique has been integrated into Kimsuky’s ongoing “BabyShark” operations, where attackers use multilingual instructions (English, French, German, Japanese, Korean, Russian, and Chinese) to widen the scope and effectiveness of their campaigns.

From a technical standpoint, the ClickFix malware showcases advanced obfuscation methods. Malicious PowerShell commands are stored in reverse string format, then reconstructed at runtime using character array manipulation. The use of random numerical sequences (e.g., “7539518426”) interspersed throughout the code, which are dynamically removed during execution, further hinders detection and analysis. These evasion techniques make visual inspection nearly impossible and allow the malware to operate under the radar of most conventional security systems.

Once executed, the malware establishes persistence by creating scheduled tasks and communicates with its command-and-control (C2) infrastructure via unique URI patterns like demo.php?ccs=cin and demo.php?ccs=cout. The infrastructure, spread across multiple countries and using dynamic DNS domains such as konamo.xyz and raedom.store, supports long-term communication and control. A consistent version identifier—“Version:RE4T-GT7J-KJ90-JB6F-VG5F”—ties these campaigns to Kimsuky’s broader BabyShark operation, underscoring their ongoing efforts to evade detection through psychological and technical sophistication.

Impact

• Security Bypass
• Gain Access

Indicators of Compromise

Domain Name

• kro.kr
• cafe24.pro
• cukumam.shop
• bikaro.store
• naunsae.store
• www.online.check-computer.kro.kr
• online.lecture-site.kro.kr
• account-profile.servepics.com
• accounts-porfile.serveirc.com

MD5

• d10208c32fbbb5cacbd2097fc0dcd444
• 0a9c22079c898fc112e67ce1caff8f54
• fc4c319d7940ad1b7c0477469420bd11

SHA-256

• 137e32ad4601e0dd8e1dc5e10a90ad58a91390fdd27cc7c9daaca31962237c25
• dc15ab39b2171cb22e4afd55d92c2994707b9cebf4edf44b150dbbbbe209df2d
• 6f6076ce4e71066fbe5c81027073323407800640e58045087085192a3f03f1ff

SHA-1

• de8e5de70afa4f9299c9993753121c6f319d0d41
• 4682c97c7e51158320a40a98415341ba8cf117d7
• 94bff8afbe304c17d8d6a1f2dc4b82fbfcc53bdc

Remediation

• Lock all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Limit access to PowerShell for non-administrative users and enforce execution policies (AllSigned or Restricted) to prevent script abuse.
• Use tools like Microsoft AppLocker or Windows Defender Application Control (WDAC) to block unauthorized script execution.
• Strengthen email security to detect and block spear-phishing attempts, especially those using spoofed identities or encrypted attachments.
• Deploy EDR (Endpoint Detection and Response) solutions to monitor unusual script activity and manual command execution by users.
• Use threat-hunting rules to identify suspicious PowerShell behavior, such as reverse string operations or use of ToCharArray().
• Continuously update threat intelligence feeds to block access to identified malicious domains like konamo.xyz and raedom.store.
• Ensure users operate with minimum required privileges to reduce the risk of successful malware execution and persistence.
• Regularly audit scheduled tasks for unusual or unauthorized entries that may indicate persistence mechanisms.
• Keep operating systems and security software up to date to defend against known vulnerabilities exploited in hybrid attack chains.