EXECUTIVE SUMMARY
Threat actors behind the recent ClickFix campaign have crafted counterfeit Google and Cloudflare verification pages to lure victims into executing malicious commands. The operation blends social‐engineering with self‐delivered PowerShell payloads, targeting users across corporate and consumer environments worldwide. By masquerading as legitimate security checks, the attackers aim to harvest credentials, install remote‐access tools, and drop additional payloads that can exfiltrate sensitive data or hold systems for ransom. The campaign's focus on high‐visibility services increases the likelihood of user interaction, amplifying its impact across multiple sectors.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors behind the recent ClickFix campaign have crafted counterfeit Google and Cloudflare verification pages to lure victims into executing malicious commands. The operation blends social‐engineering with self‐delivered PowerShell payloads, targeting users across corporate and consumer environments worldwide. By masquerading as legitimate security checks, the attackers aim to harvest credentials, install remote‐access tools, and drop additional payloads that can exfiltrate sensitive data or hold systems for ransom. The campaign's focus on high‐visibility services increases the likelihood of user interaction, amplifying its impact across multiple sectors.[emaillocker id="1283"]
Once a victim copies the displayed PowerShell command and runs it, the script contacts a remote Cloudflare bucket or IP address to retrieve a loader such as ResiLoader. The loader first disables security products, then writes additional modules into a hidden folder under ProgramData. Persistence is achieved through registry run keys and scheduled tasks, while the subsequent stealer component extracts passwords, browser cookies, and cryptocurrency wallets. Lateral movement may follow via DLL hijacking, and the compromised host periodically beacon back to command‐and‐control servers for further instructions.
The threat is significant because it bypasses traditional perimeter defenses by relying on user‐initiated execution, making detection by antivirus products difficult. Its use of legitimate scripting tools and cloud infrastructure hampers forensic attribution and prolongs recovery. Organizations should enforce strict execution policies for PowerShell, employ application allow‐listing, and monitor outbound traffic to uncommon cloud endpoints. Regular user awareness training, coupled with robust backup routines and timely patching of endpoint protection suites, reduces the chance of successful infection and limits the damage if a breach occurs.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1574.001 | Hijack Execution Flow | DLL Search Order Hijacking |
| Privilege Escalation | T1055.012 | Process Injection | Process Hollowing |
| Defense Evasion | T1027.004 | Obfuscated Files or Information | Compile After Delivery |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
reports contain further technical details:
https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-cloudflare-verification-pages-spread-multiple-malware-families