diff --git a/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md b/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
index a5c4d2c9857..c6678274b74 100644
--- a/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
@@ -112,6 +112,76 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin
* Event ID **4663** for file creations under `%LocalAppData%\Microsoft\Windows\WinX\` or temporary folders right before the suspicious 4688 event.
* EDR clipboard sensors (if present) – correlate `Clipboard Write` followed immediately by a new PowerShell process.
+## IUAM-style verification pages (ClickFix Generator): clipboard copy-to-console + OS-aware payloads
+
+Recent campaigns mass-produce fake CDN/browser verification pages ("Just a moment…", IUAM-style) that coerce users into copying OS-specific commands from their clipboard into native consoles. This pivots execution out of the browser sandbox and works across Windows and macOS.
+
+Key traits of the builder-generated pages
+- OS detection via `navigator.userAgent` to tailor payloads (Windows PowerShell/CMD vs. macOS Terminal). Optional decoys/no-ops for unsupported OS to maintain the illusion.
+- Automatic clipboard-copy on benign UI actions (checkbox/Copy) while the visible text may differ from the clipboard content.
+- Mobile blocking and a popover with step-by-step instructions: Windows → Win+R→paste→Enter; macOS → open Terminal→paste→Enter.
+- Optional obfuscation and single-file injector to overwrite a compromised site’s DOM with a Tailwind-styled verification UI (no new domain registration required).
+
+Example: clipboard mismatch + OS-aware branching
+```html
+
+
+
If the copy fails, click the checkbox again.
+
+
+```
+
+macOS persistence of the initial run
+- Use `nohup bash -lc '' >/dev/null 2>&1 &` so execution continues after the terminal closes, reducing visible artifacts.
+
+In-place page takeover on compromised sites
+```html
+
+```
+
+Detection & hunting ideas specific to IUAM-style lures
+- Web: Pages that bind Clipboard API to verification widgets; mismatch between displayed text and clipboard payload; `navigator.userAgent` branching; Tailwind + single-page replace in suspicious contexts.
+- Windows endpoint: `explorer.exe` → `powershell.exe`/`cmd.exe` shortly after a browser interaction; batch/MSI installers executed from `%TEMP%`.
+- macOS endpoint: Terminal/iTerm spawning `bash`/`curl`/`base64 -d` with `nohup` near browser events; background jobs surviving terminal close.
+- Correlate `RunMRU` Win+R history and clipboard writes with subsequent console process creation.
+
+See also for supporting techniques
+
+{{#ref}}
+clone-a-website.md
+{{#endref}}
+
+{{#ref}}
+homograph-attacks.md
+{{#endref}}
+
## Mitigations
1. Browser hardening – disable clipboard write-access (`dom.events.asyncClipboard.clipboardItem` etc.) or require user gesture.
@@ -132,5 +202,6 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin
- [Fix the Click: Preventing the ClickFix Attack Vector](https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/)
- [Pastejacking PoC – GitHub](https://github.com/dxa4481/Pastejacking)
- [Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
+- [The ClickFix Factory: First Exposure of IUAM ClickFix Generator](https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/)
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file