logo

Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families

ID: 88f8477d-fe04-55b4-9367-2d90943cd1f3

STIX ID: report--88f8477d-fe04-55b4-9367-2d90943cd1f3

Feed Name: Cyber Press

Threat Score
72/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: Lucas Martin

...
...

ClickFix is a large-scale social-engineering campaign that leverages fake Google/Cloudflare verification pages, QR-code lures, and other trusted-brand impostors to coerce victims into running malicious PowerShell commands; successful infections deploy a variety of loaders and infostealers (including ResiLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer). The report documents delivery mechanisms (Cloudflare R2 buckets), infrastructure ties (Dedik Services ASN), persistence and evasion techniques (DLL hijacking, AV/EDR termination, UAC bypass via ICMLuaUtil), and provides IoCs (MD5 hashes, domains, R2 bucket, IP), while recommending user caution, behavioral detections, and web filtering.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.