Fake Google and Cloudflare verification pages spread multiple malware families
ID: cfd40556-5a5d-5843-8c79-4baaa2907429
STIX ID: report--cfd40556-5a5d-5843-8c79-4baaa2907429
Feed Name: Security Boulevard
This report details active ClickFix campaigns that use fake Google and Cloudflare verification pages to convince users to paste PowerShell/zsh commands which download loaders (ResiLoader, Deno loader) and multiple malware families (StealC, HijackLoader, Remus, Amatera, CastleLoader, NetSupport, a Rust stealer). It analyzes delivery via Cloudflare Pages and R2 buckets, DLL hijacking and process-hollowing techniques, UAC bypass and AV/EDR termination, and provides a comprehensive set of IOCs (file hashes, domains, buckets, and IPs) and mitigation advice.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
