Threat Advisory

Avoid Fake Google Verification Pages to Prevent Malware

Threat: Malicious Campaign
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

Threat actors behind the recent ClickFix campaign have crafted counterfeit Google and Cloudflare verification pages to lure victims into executing malicious commands. The operation blends social‐engineering with self‐delivered PowerShell payloads, targeting users across corporate and consumer environments worldwide. By masquerading as legitimate security checks, the attackers aim to harvest credentials, install remote‐access tools, and drop additional payloads that can exfiltrate sensitive data or hold systems for ransom. The campaign's focus on high‐visibility services increases the likelihood of user interaction, amplifying its impact across multiple sectors.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

Threat actors behind the recent ClickFix campaign have crafted counterfeit Google and Cloudflare verification pages to lure victims into executing malicious commands. The operation blends social‐engineering with self‐delivered PowerShell payloads, targeting users across corporate and consumer environments worldwide. By masquerading as legitimate security checks, the attackers aim to harvest credentials, install remote‐access tools, and drop additional payloads that can exfiltrate sensitive data or hold systems for ransom. The campaign's focus on high‐visibility services increases the likelihood of user interaction, amplifying its impact across multiple sectors.[emaillocker id="1283"]

Once a victim copies the displayed PowerShell command and runs it, the script contacts a remote Cloudflare bucket or IP address to retrieve a loader such as ResiLoader. The loader first disables security products, then writes additional modules into a hidden folder under ProgramData. Persistence is achieved through registry run keys and scheduled tasks, while the subsequent stealer component extracts passwords, browser cookies, and cryptocurrency wallets. Lateral movement may follow via DLL hijacking, and the compromised host periodically beacon back to command‐and‐control servers for further instructions.

The threat is significant because it bypasses traditional perimeter defenses by relying on user‐initiated execution, making detection by antivirus products difficult. Its use of legitimate scripting tools and cloud infrastructure hampers forensic attribution and prolongs recovery. Organizations should enforce strict execution policies for PowerShell, employ application allow‐listing, and monitor outbound traffic to uncommon cloud endpoints. Regular user awareness training, coupled with robust backup routines and timely patching of endpoint protection suites, reduces the chance of successful infection and limits the damage if a breach occurs.

THREAT PROFILE:

Tactic Technique ID Technique Sub-technique
Execution T1059.001 Command and Scripting Interpreter PowerShell
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Defense Evasion T1562.001 Impair Defenses Disable or Modify Tools
Defense Evasion T1574.001 Hijack Execution Flow DLL Search Order Hijacking
Privilege Escalation T1055.012 Process Injection Process Hollowing
Defense Evasion T1027.004 Obfuscated Files or Information Compile After Delivery
Command and Control T1105 Ingress Tool Transfer

REFERENCES:

reports contain further technical details:
https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-cloudflare-verification-pages-spread-multiple-malware-families

[/emaillocker]
crossmenu