Skip to content

Conversation

@carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/
  • Blog Title: The ClickFix Factory: First Exposure of IUAM ClickFix Generator
  • Suggested Section: Phishing Methodology / Clipboard Hijacking (add a subsection: IUAM-style verification pages with clipboard copy-to-console + OS-aware payloads); cross-link to Phishing Methodology / Clone a Website and Homograph Attacks

🎯 Content Summary

What the post reveals
Unit 42 exposes a turnkey phishing-kit builder dubbed the IUAM ClickFix Generator that mass-produces fake CDN/browser verification (“Just a moment…”) pages. These pages coerce users into copying OS-specific commands from their clipboard into local consoles (Win+R→PowerShell/CMD or macOS Terminal), shifting execution outside the browser sandbox to install stealers/RATs (notably DeerStealer on Windows and Odyssey on macOS). No CVEs are exploited; the vector is p...

🔧 Technical Details

Clipboard-injection + verification-page impersonation
Abuse user trust by spoofing CDN/browser IUAM challenges. Bind user interactions (checkbox/Copy button) to silently place a hidden command into the clipboard, then instruct the user to paste it into a native console (Windows PowerShell/CMD via Win+R, or macOS Terminal). This pivots execution from the browser to the OS, bypassing browser security and many web/email sandboxes.

OS-aware payload routing
Use navigator.userAgent to branch payloads: Windows receives a PowerShell one-liner (download/execute batch→MSI); macOS receives a Base64-encoded bash that fetches and runs a payload (Odyssey). Provide decoy/no-op commands for unsupported OS to maintain the lure without detonating malware.

Stealthy persistence of the initial run
On macOS, wrap the Base64-decoded installer in nohup bash so the process continues after the user closes the terminal window, reducing vis...

🤖 Agent Actions

I analyzed the blog and the existing HackTricks content, then updated HackTricks by adding a new subsection to the Clipboard Hijacking page with the IUAM-style verification technique, OS-aware payload branching, macOS nohup persistence, and DOM takeover injection details. I also added cross-links to “Clone a Website” and “Homograph Attacks,” and included the blog as a reference.

What I did:

  • Explored repository structure and reviewed at least 5 relevant files:

    • src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
    • src/generic-methodologies-and-resources/phishing-methodology/README.md
    • src/generic-methodologies-and-resources/phishing-methodology/homograph-attacks.md
    • src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md
    • src/generic-methodologies-and-resources/phishing-methodology/detecting-phising.md
    • Also checked: src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md and relevant mentions of ClickFix across pages
  • Decided best place to add: Phishing Methodology / Clipboard Hijacking (Pastejacking), since it directly covers the exact vector and already introduces ClickFix/ClearFake. I expanded it with a focused subsection: “IUAM-style verification pages (ClickFix Generator): clipboard copy-to-console + OS-aware payloads”.

  • Added technical content:

    • Builder traits: OS-aware userAgent branching (Windows PowerShell/CMD vs macOS Terminal), clipboard mismatch between displayed benign string and malicious clipboard content, mobile blocking, instructional popover, optional obfuscation.
    • Code:
      • Clipboard mismatch + OS-aware branching JS/HTML (showing benign string, copying real command; using navigator.userAgent to select Windows PS vs macOS nohup bash).
      • macOS nohup technique to keep execution after terminal closes.
      • In-place DOM takeover injection snippet that fetches a full phishing page and overwrites the DOM, then injects Tailwind from CDN to style the page.
    • Detection and hunting:
      • Web artifacts: Clipboard API bound to verification widgets, mismatch between UI text and actual clipboard, userAgent branching, Tailwind + single-page DOM replace.
      • Endpoint telemetry:
        • Windows: explorer.exe spawning powershell/cmd and execution of batch/MSI from %TEMP%.
        • macOS: Terminal/iTerm spawning bash/curl/base64 -d with nohup near browser events.
      • Correlate RunMRU and clipboard events with new console processes.
    • Cross-linked to related techniques:
      • Clone a Website
      • Homograph Attacks
    • Updated References with the new Unit 42 article.

Changes implemented:

  • Modified file:
    • src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md

Key additions in that file:

  • New section: “IUAM-style verification pages (ClickFix Generator): clipboard copy-to-console + OS-aware payloads”
  • Code snippets:
    • Clipboard mismatch + OS-aware branching
    • macOS nohup one-liner
    • DOM takeover injection + Tailwind
  • Detection/hunting bullets specific to IUAM-style pages
  • Cross-links using HackTricks ref macro:
    • clone-a-website.md
    • homograph-attacks.md
  • References updated:
    • Added: The ClickFix Factory: First Exposure of IUAM ClickFix Generator (Unit 42)

No other pages were changed since existing pages already cover cloning and homographs, and the main README already links to Clipboard Hijacking.

Note: The blog did not involve exploiting any CVE or a new vulnerability class; it’s a social-engineering + clipboard abuse + OS-aware payload routing technique. The update focuses on operational, technical tradecraft that defenders and red-teamers can learn from (code snippets, behavioral detection).


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology / Clipboard Hijacking (add a subsection: IUAM-style verification pages with clipboard copy-to-console + OS-aware payloads); cross-link to Phishing Methodology / Clone a Website and Homograph Attacks".

Repository Maintenance:

  • MD Files Formatting: 896 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop
Copy link
Collaborator Author

merge

@carlospolop carlospolop merged commit afa38ea into master Oct 12, 2025
@carlospolop carlospolop deleted the update_The_ClickFix_Factory__First_Exposure_of_IUAM_Click_20251008_124417 branch October 12, 2025 00:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant