Cybercriminals are rapidly lowering the skill barrier for executing advanced social engineering attacks by proliferating phishing kits built around the ClickFix technique.
Researchers from Palo Alto Networks’ Unit 42 have discovered a web-based tool named IUAM ClickFix Generator that automates the creation of deceptive phishing pages, enabling even low-skilled attackers to craft convincing lures that manipulate victims into executing malicious commands manually.
IUAM ClickFix Generator Mimics Legitimate Browser Challenges
The IUAM ClickFix Generator, hosted on the IP address 38.242.212[.]5 and active since July 2025, is a publicly exposed phishing kit builder running on Express and styled with Tailwind CSS.
It allows threat actors to customize phishing pages that mimic legitimate “browser verification” challenges commonly used by CDN and cloud security providers. Through a simple web interface, attackers can configure titles, on-screen prompts, and footer messages.
More dangerously, it includes a clipboard injection feature that automatically copies malicious commands, often PowerShell or bash scripts, into the victim’s clipboard when they click verification buttons.
Attackers can also configure OS detection scripts to tailor payload delivery for Windows or macOS, using either PowerShell or Base64-encoded bash commands.
These customizations enable phishing pages to appear more authentic while simultaneously instructing unsuspecting users to execute commands that download and install information-stealing malware or remote access Trojans (RATs).
Advanced settings within the kit enable JavaScript obfuscation and mobile blocking, ensuring the page prompts desktop execution only.
Real-World Campaigns Deliver DeerStealer and Odyssey Malware
Researchers observed at least two confirmed campaigns leveraging kit-built ClickFix pages. In one case, attackers distributed DeerStealer, a Windows-only infostealer delivered through a clipboard-based PowerShell command.
Clicking the fake CAPTCHA injected a script that downloaded a malicious batch file (SHA256: 2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b), which fetched an MSI file (SHA256: ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151) to install the malware.
A broader campaign targeted both Windows and macOS users to deliver the Odyssey infostealer, a malware-as-a-service (MaaS) tool distributed via multiple spoofed trading and cloud domains such as tradingview. connect-app[.]us[.]com and cloudlare-lndex[.]com.
The phishing logic parses the navigator.userAgent to detect platforms, dynamically injecting the relevant command for execution. Interestingly, these variants contained developer comments in Russian, indicating a shared codebase and likely Eastern European origin.
The discovery of the IUAM ClickFix Generator highlights how phishing-as-a-service ecosystems are evolving into comprehensive malware delivery pipelines, automating every step from lure design to payload execution.
Palo Alto Networks’ Advanced URL Filtering, DNS Security, and Cortex XDR modules have been updated to block associated indicators and effectively detect these cross-platform threats.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
