ClickFix Scams Exploit Google and Cloudflare to Distribute 7 Malware Families

www.news4hackers.com-clickfix-scams-exploit-google-and-cloudflare-to-distribute-7-malware-families-clickfix-scams-exploit-google-and-cloudflare-to-distribute-7-malware-families

Malicious Campaigns Exploit Google and Cloudflare Verification Pages to Distribute Seven Malware Variants

Introduction

A cybersecurity research team identified multiple campaigns active since late 2025 that leverage deceptive verification interfaces mimicking Google and Cloudflare services to deploy malware. These operations employ social engineering tactics to coerce users into executing malicious commands, resulting in infections by seven distinct malware families.

Tactics Used

The campaigns utilize fabricated verification screens resembling Google reCAPTCHA prompts, Cloudflare-style authentication checks, and alerts about unauthorized Google account activity. Attackers also deploy Google Meet-related lures, such as fake notifications requiring users to address an audio driver issue. A variant involves counterfeit QR code services that direct victims to follow technical instructions, ultimately triggering malicious code execution via PowerShell or command-line tools.

Technical Analysis

Technical analysis revealed shared infrastructure across these attacks, including PowerShell scripts with standardized structures, later-stage files stored in C:\\ProgramData\\Zooms, and payloads hosted in Cloudflare R2 storage buckets. Several campaigns utilized IP addresses linked to Dedik Services Limited, while some HTML responses contained the string \” hehe.\” However, these indicators were not consistently present, and the delivery mechanisms evolved over time.

Distribution Methods

Payloads were distributed through repurchased expired domains, compromised websites, and Cloudflare Pages. The IClickFix framework was employed to display malicious commands, and attackers exploited legitimate platforms like Deno, a JavaScript/TypeScript runtime, to deploy PowerShell-based infostealers. In one instance, a modified version of the open-source messaging app Franz was used to deliver a trojanized component.

Specific Payloads

The malicious payload, named ResiLoader, leveraged a vulnerable OPSWAT AppRemover driver to terminate over 140 security-related processes. It also attempted a User Account Control (UAC) bypass, established persistence under the Google Update directory, and used process hollowing to execute StealC within the ServiceModelReg.exe process. StealC is designed to extract sensitive data from browsers, cryptocurrency wallets, messaging apps, and gaming platforms.

Impact and Reporting

Microsoft classifies it as a malware-as-a-service tool, enabling cybercriminals to customize payloads and manage stolen information. Attackers capitalized on the legitimacy of verification processes to disguise malicious activity, prompting users to manually initiate infections. Microsoft reported that these tactics affected thousands of devices monthly in early 2025, including systems protected by endpoint detection and response solutions.

Security experts emphasize that no legitimate Google or Cloudflare verification page requires users to run commands in PowerShell, Command Prompt, or terminal applications. Any website instructing users to execute such actions should be treated as malicious.

Microsoft reported that these tactics affected thousands of devices monthly in early 2025, including systems protected by endpoint detection and response solutions.

Security Recommendations

The campaigns highlight the evolving sophistication of threat actors in exploiting trusted services to bypass security measures. Organizations are advised to monitor for unusual command-line activity, validate the authenticity of verification prompts, and implement strict controls over unauthorized software execution.



About Author

en_USEnglish