Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families
ID: 88f8477d-fe04-55b4-9367-2d90943cd1f3
STIX ID: report--88f8477d-fe04-55b4-9367-2d90943cd1f3
Feed Name: Cyber Press
ClickFix is a large-scale social-engineering campaign that leverages fake Google/Cloudflare verification pages, QR-code lures, and other trusted-brand impostors to coerce victims into running malicious PowerShell commands; successful infections deploy a variety of loaders and infostealers (including ResiLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer). The report documents delivery mechanisms (Cloudflare R2 buckets), infrastructure ties (Dedik Services ASN), persistence and evasion techniques (DLL hijacking, AV/EDR termination, UAC bypass via ICMLuaUtil), and provides IoCs (MD5 hashes, domains, R2 bucket, IP), while recommending user caution, behavioral detections, and web filtering.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
