A new threat report released today by Darktrace highlights a surge in “ClickFix” social engineering attacks, particularly by North Korean groups (Lazarus). This tactic involves tricking users (often IT staff or devs) into copying and pasting malicious PowerShell scripts to “fix” a fake error on a website or video conference.
Business Impact
This technique is highly effective because it bypasses standard malware detection. The user is manually executing the malicious command, which EDR tools often interpret as legitimate administrative activity. It grants attackers immediate, stealthy access to endpoints.
Why It Happened
Attackers are adapting to improved email defenses by moving attacks to the browser and exploiting the “human gap.” The technique leverages the clipboard, which is difficult for security tools to inspect in real-time.
Recommended Executive Action
Update security awareness training to specifically cover “ClickFix” and “clipboard injection” attacks. Restrict the ability for standard users to execute PowerShell scripts and consider browser extensions that block pasting of code into the terminal.
Hashtags: #SocialEngineering #ClickFix #Lazarus #NorthKorea #APT #CyberSecurity #InfoSec #PowerShell