ClickFix Factory: How Automated Phishing Kits Are Changing Social Engineering in 2024
Executive Summary
In 2024, Unit 42 researchers exposed the ClickFix Factory, a novel phishing kit generator that dramatically lowers the technical bar for aspiring cybercriminals. ClickFix enables users to design sophisticated phishing campaigns targeting identity verification and anti-abuse modules (IUAM) without deep coding knowledge. By offering user-friendly templates and built-in automation, ClickFix streamlines social engineering attacks and amplifies their reach, resulting in a spike of high-volume, lower-skill phishing campaigns observed targeting enterprises and individuals globally.
The release of ClickFix reflects an ongoing trend toward the commoditization of cybercrime tooling, making advanced techniques readily accessible to broader groups of threat actors. Security teams face new urgency to adapt detection, awareness, and prevention strategies as phishing kit marketplaces accelerate both the scale and success rate of social engineering attacks.
Why This Matters Now
ClickFix represents a significant escalation in the democratization of social engineering threats, enabling virtually anyone to launch sophisticated phishing attacks. The urgency is heightened as even low-skilled actors now possess tools that undermine enterprise security controls, increasing the risk of data breaches and regulatory violations.
Attack Path Analysis
The attack began with the deployment of a ClickFix phishing kit, enabling mass social engineering campaigns that tricked victims into revealing credentials. Following credential theft, attackers leveraged compromised accounts to escalate privileges within cloud environments. Using these privileges, the threat actor sought to move laterally, attempting to access internal resources and workloads. The compromised infrastructure then established command and control via outbound connections, facilitating remote access and further instructions. Sensitive data was exfiltrated through egress paths to attacker-controlled endpoints. The campaign's final impact could include data theft, further fraud, or deployment of additional malware, causing operational and reputational damage.
Kill Chain Progression
Initial Compromise
Description
Attackers distributed phishing links generated by the ClickFix kit, leading users to submit valid cloud credentials to attacker-controlled sites.
MITRE ATT&CK® Techniques
Phishing
Phishing for Information
Input Capture: Keylogging
Brute Force
Valid Accounts
User Execution: Malicious Link
Modify Authentication Process
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Assign user IDs and manage user authentication securely
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Phishing-resistant Authentication
Control ID: Identity and Access Management (IDAM)-Maturity Level 2
NIS2 Directive – Policies for assessment of effectiveness of cybersecurity risk management
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ClickFix phishing kits targeting financial institutions exploit social engineering vulnerabilities, requiring enhanced egress security and threat detection capabilities for compliance protection.
Health Care / Life Sciences
Commoditized ClickFix generators enable inexperienced attackers to breach healthcare systems, necessitating zero trust segmentation and encrypted traffic controls for HIPAA compliance.
Government Administration
Social engineering through ClickFix factories poses critical risks to government networks, demanding multicloud visibility and anomaly detection for national security infrastructure.
Education Management
Educational institutions face increased ClickFix phishing threats from lowered attack barriers, requiring comprehensive threat detection and policy enforcement across hybrid environments.
Sources
- The ClickFix Factory: First Exposure of IUAM ClickFix Generatorhttps://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/Verified
- 2025 Unit 42 Global Incident Response Report: Social Engineering Editionhttps://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/Verified
- MITRE ATT&CKcon 6.0https://attack.mitre.org/resources/attackcon/october-2025/Verified
- Technical Trends in Phishing Attackshttps://www.cisa.gov/sites/default/files/publications/phishing_trends0511.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, anomaly detection, and egress policy enforcement would have hindered the attacker's ability to move within the cloud, establish command & control, and exfiltrate data. CNSF, with capabilities like microsegmentation, encrypted traffic, and threat detection, can greatly reduce attack surface and stop or detect malicious behaviors at every stage.
Control: Threat Detection & Anomaly Response
Mitigation: Detects anomalous login attempts and credential misuse.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized privilege elevation by enforcing identity-based least privilege policies.
Control: East-West Traffic Security
Mitigation: Blocks or tightly monitors lateral movement between workloads and zones.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound C2 communication.
Control: Egress Security & Policy Enforcement
Mitigation: Detects or blocks exfiltration attempts.
Enables rapid detection, containment, and recovery from attacks.
Impact at a Glance
Affected Business Functions
- Customer Support
- Sales
- IT Services
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer credentials and sensitive internal documents due to credential harvesting malware deployed through ClickFix campaigns.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least-privilege, identity-based access across all cloud workloads.
- • Deploy east-west traffic controls to detect and block unauthorized lateral movement between cloud services and regions.
- • Enforce rigorous egress security policies to prevent data exfiltration and command & control communications.
- • Continuously monitor for anomalous access patterns and credential use with integrated threat detection capabilities.
- • Centralize visibility and real-time policy enforcement across hybrid and multicloud environments to rapidly respond to emerging threats.
