Analysis of the threat case of kimsuky group using 'ClickFix' tactic

Description

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extension of Kimsuky's ongoing 'BabyShark' threat activity. The tactic has evolved from VBS-based attacks to more sophisticated email-based and website-delivered methods. Attackers impersonate legitimate entities and use multilingual manuals to guide victims through seemingly harmless steps that actually execute malicious code. The group's infrastructure and linguistic patterns point to North Korean origin. To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.