logo

Fake Google and Cloudflare verification pages spread multiple malware families

ID: 5d7bc0a9-da70-5a85-9b18-a982c97e189a

STIX ID: report--5d7bc0a9-da70-5a85-9b18-a982c97e189a

Feed Name: Malwarebytes Blog

Threat Score
75/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

...
...

Executive Summary: This report describes an active ClickFix campaign that uses fake Google/Cloudflare verification pages and other lures to trick users into pasting and executing PowerShell/zsh commands; those commands download loaders and a variety of malware (StealC, Remus, Amatera, Rust Stealer, NetSupport, CastleLoader, etc.). The analysis highlights technical details including obfuscated HTML lures, Cloudflare R2 buckets and IP-based payload hosting, PowerShell downloaders that write to C:\ProgramData\Zooms, trojanized Electron apps delivering a .NET NativeAOT loader named ResiLoader (which disables security, drops a driver, performs UAC bypass and process hollowing), and provides IOCs (hashes, domains, buckets, IPs) to support detection and response.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.