The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Date: 10/09/2025

Severity: High

Summary

Attackers are leveraging a social engineering technique called ClickFix—which tricks users into manually executing malware—and are now packaging it into phishing kits for easy use. One such kit, the IUAM ClickFix Generator, automates the creation of deceptive phishing pages that mimic browser verification screens. It includes advanced features like OS detection and clipboard injection, enabling cross-platform malware delivery with minimal effort. This kit has been used to deploy malware such as DeerStealer and is part of a growing commercial phishing-as-a-service ecosystem focused on ClickFix-based attacks.

Indicators of Compromise (IOC) List

URLs/Domains

Odyssey1.to

Odyssey-st.com

sdojifsfiudgigfiv.to

Charge0x.at

speedtestcheck.org

claudflurer.com

teamsonsoft.com

Macosapp-apple.com

tradingview.connect-app.us.com

treadingveew.last-desk.org

tradingviewen.com

financementure.com

Cryptoinfnews.com

Emailreddit.com

Macosxappstore.com

Cryptoinfo-news.com

Cryptoinfo-allnews.com

apposx.com

ttxttx.com

Greenpropertycert.com

cloudlare-lndex.com

Dactarhome.com

ibs-express.com

favorite-hotels.com

watchlist-verizon.com

Growsearch.in

Creatorssky.com

quirkyrealty.com

Sharanilodge.com

asmicareer.com

crm.jskymedia.com

coffeyelectric.com

Sifld.rajeshmhegde.com

Pixelline.in

techinnovhub.co.za

fudgeshop.com.au

evodigital.com.au

365-drive.com

IP Address

45.146.130.129

45.135.232.33

83.222.190.214

194.26.29.217

88.214.50.3

45.146.130.132

45.146.130.131

185.93.89.62

Hash :

397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc1516273

7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547ac40d5e1

7765e5e0a7622ff69bd2cee0a75f2aae05643179b4dd333d0e75f98a42894065

d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fba5f9ee8

9c5920fa25239c0f116ce7818949ddce5fd2f31531786371541ccb4886c5aeb2

9090385242509a344efd734710e60a8f73719130176c726e58d32687b22067c8

8ed8880f40a114f58425e0a806b7d35d96aa18b2be83dede63eff0644fd7937d

7881a60ee0ad02130f447822d89e09352b084f596ec43ead78b51e331175450f

d375bb10adfd1057469682887ed0bc24b7414b7cec361031e0f8016049a143f9

039f82e92c592f8c39b9314eac1b2d4475209a240a7ad052b730f9ba0849a54a

82b73222629ce27531f57bae6800831a169dff71849e1d7e790d9bd9eb6e9ee7

d110059f5534360e58ff5f420851eb527c556badb8e5db87ddf52a42c1f1fe76

816bf9ef902251e7de73d57c4bf19a4de00311414a3e317472074ef05ab3d565

72633ddb45bfff1abeba3fc215077ba010ae233f8d0ceff88f7ac29c1c594ada

cd78a77d40682311fd30d74462fb3e614cbc4ea79c3c0894ba856a01557fd7c0

00c953a678c1aa115dbe344af18c2704e23b11e6c6968c46127dd3433ea73bf2

fe8b1b5b0ca9e7a95b33d3fcced833c1852c5a16662f71ddea41a97181532b14

966108cf5f3e503672d90bca3df609f603bb023f1c51c14d06cc99d2ce40790c

029a5405bbb6e065c8422ecc0dea42bb2689781d03ef524d9374365ebb0542f9

081921671d15071723cfe979633a759a36d1d15411f0a6172719b521458a987d

2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b

6e4119fe4c8cf837dac27e2948ce74dc7af3b9d4e1e4b28d22c4cf039e18b993

ba5305e944d84874bde603bf38008675503244dc09071d19c8c22ded9d4f6db4

f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac

3aee8ad1a30d09d7e40748fa36cd9f9429e698c28e2a1c3bcf88a062155eee8c

ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "sdojifsfiudgigfiv.to" or siteurl like "sdojifsfiudgigfiv.to" or url like "sdojifsfiudgigfiv.to" or domainname like "Sifld.rajeshmhegde.com" or siteurl like "Sifld.rajeshmhegde.com" or url like "Sifld.rajeshmhegde.com" or domainname like "apposx.com" or siteurl like "apposx.com" or url like "apposx.com" or domainname like "financementure.com" or siteurl like "financementure.com" or url like "financementure.com" or domainname like "coffeyelectric.com" or siteurl like "coffeyelectric.com" or url like "coffeyelectric.com" or domainname like "cloudlare-lndex.com" or siteurl like "cloudlare-lndex.com" or url like "cloudlare-lndex.com" or domainname like "Sharanilodge.com" or siteurl like "Sharanilodge.com" or url like "Sharanilodge.com" or domainname like "Cryptoinfo-allnews.com" or siteurl like "Cryptoinfo-allnews.com" or url like "Cryptoinfo-allnews.com" or domainname like "Creatorssky.com" or siteurl like "Creatorssky.com" or url like "Creatorssky.com" or domainname like "Pixelline.in" or siteurl like "Pixelline.in" or url like "Pixelline.in" or domainname like "365-drive.com" or siteurl like "365-drive.com" or url like "365-drive.com" or domainname like "quirkyrealty.com" or siteurl like "quirkyrealty.com" or url like "quirkyrealty.com" or domainname like "speedtestcheck.org" or siteurl like "speedtestcheck.org" or url like "speedtestcheck.org" or domainname like "claudflurer.com" or siteurl like "claudflurer.com" or url like "claudflurer.com" or domainname like "Growsearch.in" or siteurl like "Growsearch.in" or url like "Growsearch.in" or domainname like "Charge0x.at" or siteurl like "Charge0x.at" or url like "Charge0x.at" or domainname like "Macosxappstore.com" or siteurl like "Macosxappstore.com" or url like "Macosxappstore.com" or domainname like "tradingviewen.com" or siteurl like "tradingviewen.com" or url like "tradingviewen.com" or domainname like "Odyssey1.to" or siteurl like "Odyssey1.to" or url like "Odyssey1.to" or domainname like "evodigital.com.au" or siteurl like "evodigital.com.au" or url like "evodigital.com.au" or domainname like "ibs-express.com" or siteurl like "ibs-express.com" or url like "ibs-express.com" or domainname like "treadingveew.last-desk.org" or siteurl like "treadingveew.last-desk.org" or url like "treadingveew.last-desk.org" or domainname like "Dactarhome.com" or siteurl like "Dactarhome.com" or url like "Dactarhome.com" or domainname like "tradingview.connect-app.us.com" or siteurl like "tradingview.connect-app.us.com" or url like "tradingview.connect-app.us.com" or domainname like "techinnovhub.co.za" or siteurl like "techinnovhub.co.za" or url like "techinnovhub.co.za" or domainname like "Cryptoinfo-news.com" or siteurl like "Cryptoinfo-news.com" or url like "Cryptoinfo-news.com" or domainname like "Greenpropertycert.com" or siteurl like "Greenpropertycert.com" or url like "Greenpropertycert.com" or domainname like "Odyssey-st.com" or siteurl like "Odyssey-st.com" or url like "Odyssey-st.com" or domainname like "teamsonsoft.com" or siteurl like "teamsonsoft.com" or url like "teamsonsoft.com" or domainname like "Macosapp-apple.com" or siteurl like "Macosapp-apple.com" or url like "Macosapp-apple.com" or domainname like "Cryptoinfnews.com" or siteurl like "Cryptoinfnews.com" or url like "Cryptoinfnews.com" or domainname like "Emailreddit.com" or siteurl like "Emailreddit.com" or url like "Emailreddit.com" or domainname like "ttxttx.com" or siteurl like "ttxttx.com" or url like "ttxttx.com" or domainname like "favorite-hotels.com" or siteurl like "favorite-hotels.com" or url like "favorite-hotels.com" or domainname like "watchlist-verizon.com" or siteurl like "watchlist-verizon.com" or url like "watchlist-verizon.com" or domainname like "asmicareer.com" or siteurl like "asmicareer.com" or url like "asmicareer.com" or domainname like "crm.jskymedia.com" or siteurl like "crm.jskymedia.com" or url like "crm.jskymedia.com" or domainname like "fudgeshop.com.au" or siteurl like "fudgeshop.com.au" or url like "fudgeshop.com.au"
Detection Query 2 :	dstipaddress IN ("45.146.130.129","45.135.232.33","83.222.190.214","194.26.29.217","88.214.50.3","45.146.130.132","45.146.130.131","185.93.89.62") or srcipaddress IN ("45.146.130.129","45.135.232.33","83.222.190.214","194.26.29.217","88.214.50.3","45.146.130.132","45.146.130.131","185.93.89.62")
Detection Query 3 :	sha256hash IN ("82b73222629ce27531f57bae6800831a169dff71849e1d7e790d9bd9eb6e9ee7","d375bb10adfd1057469682887ed0bc24b7414b7cec361031e0f8016049a143f9","00c953a678c1aa115dbe344af18c2704e23b11e6c6968c46127dd3433ea73bf2","fe8b1b5b0ca9e7a95b33d3fcced833c1852c5a16662f71ddea41a97181532b14","6e4119fe4c8cf837dac27e2948ce74dc7af3b9d4e1e4b28d22c4cf039e18b993","7765e5e0a7622ff69bd2cee0a75f2aae05643179b4dd333d0e75f98a42894065","d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fba5f9ee8","ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151","9c5920fa25239c0f116ce7818949ddce5fd2f31531786371541ccb4886c5aeb2","2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b","039f82e92c592f8c39b9314eac1b2d4475209a240a7ad052b730f9ba0849a54a","397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc1516273","7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547ac40d5e1","8ed8880f40a114f58425e0a806b7d35d96aa18b2be83dede63eff0644fd7937d","d110059f5534360e58ff5f420851eb527c556badb8e5db87ddf52a42c1f1fe76","cd78a77d40682311fd30d74462fb3e614cbc4ea79c3c0894ba856a01557fd7c0","ba5305e944d84874bde603bf38008675503244dc09071d19c8c22ded9d4f6db4","966108cf5f3e503672d90bca3df609f603bb023f1c51c14d06cc99d2ce40790c","081921671d15071723cfe979633a759a36d1d15411f0a6172719b521458a987d","9090385242509a344efd734710e60a8f73719130176c726e58d32687b22067c8","7881a60ee0ad02130f447822d89e09352b084f596ec43ead78b51e331175450f","816bf9ef902251e7de73d57c4bf19a4de00311414a3e317472074ef05ab3d565","72633ddb45bfff1abeba3fc215077ba010ae233f8d0ceff88f7ac29c1c594ada","029a5405bbb6e065c8422ecc0dea42bb2689781d03ef524d9374365ebb0542f9","f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac","3aee8ad1a30d09d7e40748fa36cd9f9429e698c28e2a1c3bcf88a062155eee8c")

Reference:

https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments