logo

Fake Google and Cloudflare verification pages spread multiple malware families

ID: cfd40556-5a5d-5843-8c79-4baaa2907429

STIX ID: report--cfd40556-5a5d-5843-8c79-4baaa2907429

Feed Name: Security Boulevard

Threat Score
75/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Malwarebytes

...
...

This report details active ClickFix campaigns that use fake Google and Cloudflare verification pages to convince users to paste PowerShell/zsh commands which download loaders (ResiLoader, Deno loader) and multiple malware families (StealC, HijackLoader, Remus, Amatera, CastleLoader, NetSupport, a Rust stealer). It analyzes delivery via Cloudflare Pages and R2 buckets, DLL hijacking and process-hollowing techniques, UAC bypass and AV/EDR termination, and provides a comprehensive set of IOCs (file hashes, domains, buckets, and IPs) and mitigation advice.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.