Fake Google and Cloudflare verification pages spread multiple malware families
ID: 5d7bc0a9-da70-5a85-9b18-a982c97e189a
STIX ID: report--5d7bc0a9-da70-5a85-9b18-a982c97e189a
Feed Name: Malwarebytes Blog
Executive Summary: This report describes an active ClickFix campaign that uses fake Google/Cloudflare verification pages and other lures to trick users into pasting and executing PowerShell/zsh commands; those commands download loaders and a variety of malware (StealC, Remus, Amatera, Rust Stealer, NetSupport, CastleLoader, etc.). The analysis highlights technical details including obfuscated HTML lures, Cloudflare R2 buckets and IP-based payload hosting, PowerShell downloaders that write to C:\ProgramData\Zooms, trojanized Electron apps delivering a .NET NativeAOT loader named ResiLoader (which disables security, drops a driver, performs UAC bypass and process hollowing), and provides IOCs (hashes, domains, buckets, IPs) to support detection and response.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
