ClickFix Phishing Kit Exposed by Cybersecurity Experts
▼ Summary
– Palo Alto Networks researchers discovered the “IUAM ClickFix Generator,” a phishing kit that enables less skilled attackers to deploy malware using the ClickFix social engineering technique.
– The kit creates customizable phishing pages mimicking browser verification pages from CDNs and security providers to trick victims into thinking they are legitimate.
– The tool allows attackers to customize page content, prompts, and malicious commands copied to victims’ clipboards, with detection for device type to tailor attacks.
– Phishing pages generated by the kit target Windows or macOS users to deliver infostealers, with one campaign linked to the Odyssey malware-as-a-service offering.
– The commoditization of the ClickFix technique lowers the skill and effort required for attacks, aligning with the phishing-as-a-service trend.
Cybersecurity specialists from Palo Alto Networks have identified and examined a new phishing toolkit known as the IUAM ClickFix Generator, which enables even novice cybercriminals to deploy malware through a widely used social engineering method. This approach tricks users into believing they are completing a standard browser verification step, often seen on sites protected by Content Delivery Networks or cloud security services. The kit produces highly adaptable phishing pages that convincingly imitate these verification interfaces, making it easier for attackers to deceive their targets.
According to the research team, the tool empowers threat actors to design phishing pages that closely replicate the challenge-response behavior of legitimate security checks. The counterfeit pages appear authentic to unsuspecting visitors, significantly boosting the success rate of these malicious campaigns.
The IUAM ClickFix Generator operates as a web application. The version analyzed by researchers was hosted at a particular IP address and remained active from the middle of July through early October 2025. Its straightforward user interface provided attackers with several customization options, allowing them to adjust the title, domain, displayed text, and prompts shown on the phishing page. It also let them define the harmful command that would be copied to a victim’s clipboard once they clicked the verification button.
Additionally, the toolkit can identify whether a visitor is using a mobile device, Windows, or macOS. If a mobile user is detected, the page prompts them to switch to a desktop browser. For desktop users, the malicious command is automatically tailored to their specific operating system. The kit also supports obfuscation methods and uses JavaScript to automatically inject content into the victim’s clipboard.
Investigators have already identified multiple phishing pages built using the IUAM ClickFix Generator or a similar variant. These pages were crafted to target either Windows or macOS systems, with the goal of distributing information-stealing malware.
One campaign connected to this toolkit has been associated with the Odyssey malware-as-a-service (MaaS) platform and its developer. Differences observed across the phishing pages suggest that a base version of the toolkit is being distributed, then customized by individual operators or affiliates to suit their specific needs.
Posts made by the individual advertising and managing the Odyssey MaaS indicate that ClickFix-style lure pages are provided to affiliates upon request. This supports the idea that while a common generator tool serves as the foundation, each affiliate can modify the pages for different campaigns or personal preferences.
The availability of such toolkits illustrates the ongoing trend of phishing-as-a-service, which dramatically lowers the technical skill and effort required to carry out effective cyberattacks. As these tools become more accessible, the barrier to entry for aspiring cybercriminals continues to drop, posing a growing threat to individuals and organizations alike.
(Source: HelpNet Security)
