EXECUTIVE SUMMARY:
A newly observed phishing-kit, dubbed the ClickFix Generator, has emerged that automates the creation of highly convincing browser-verification spoof pages. These pages trick users into executing commands manually, thereby bypassing automated protections and enabling deployment of malware such as infostealers and remote access Trojans. The commoditization of this technique lowers the barrier for threat actors, making social engineering more widely accessible.
The ClickFix Generator is hosted as a web application and offers a configurable interface that allows attackers to customize nearly every aspect of the spoofed verification page including title, domains, messages, prompts, clipboard behavior, mobile detection, and obfuscation settings. It also incorporates operating system detection logic to deliver OS-specific commands. In observed campaigns, when a victim clicks the verification checkbox, a malicious command is copied invisibly into the clipboard. The user is then instructed to paste and execute the command, which triggers a multi-stage download and execution chain. In one confirmed case, the chain deployed a batch script that ultimately loaded an infostealer, while in other instances the kit facilitated delivery of distinct malware variants depending on the victims OS. Multiple phishing pages sharing similar structural and command templates, yet with minor divergence implies that variants or forks of the generator are already in use. Shared HTML and JavaScript artifacts, and consistent command-and-control patterns across samples, indicate a common underlying builder tool. Additionally, the kit supports embedding into compromised legitimate sites via script injection and styling with Tailwind CSS to override original content.
The emergence of a commercial ClickFix generator underscores a growing trend: advanced social-engineering tools are becoming commoditized. Because the attack relies on convincing a user to run commands, this vector is especially dangerous, shifting the burden from exploiting a vulnerability to manipulating human behavior. Organizations and users must remain vigilant, treat any request to copy and execute terminal commands with extreme suspicion, and deploy layered defenses to detect and block such phishing and malware activity.
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.004 | User Execution | Malicious Copy and Paste |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| T1059.004 | Unix Shell | ||
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1056.003 | Input Capture | Web Portal Capture |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: