ClickFix Scams Abuse Google, Cloudflare Checks to Deliver 7 Malware Families
ClickFix scams use fake Google/Cloudflare checks to deliver 7 malware families.
Summary
Malwarebytes has identified ongoing campaigns since late 2025 that leverage fake Google and Cloudflare verification pages to trick users into executing malicious commands. These commands install multiple malware families, including StealC, Remus, and NetSupport, by abusing legitimate services and infrastructure like Cloudflare R2 buckets and repurchased domains.
Full text
Security Malware Scams and FraudClickFix Scams Abuse Google, Cloudflare Checks to Deliver 7 Malware Families Malwarebytes links fake Google and Cloudflare verification pages to shared ClickFix infrastructure delivering StealC, NetSupport and other malware. byWaqasJuly 6, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A page asking you to prove you are human can be the first step in a malware infection. Malwarebytes says multiple campaigns active since at least late 2025 have used fake Google and Cloudflare verification screens to trick visitors into copying and running malicious commands on their own computers. These commands infect victims’ devices with multiple malware families, including: StealC Remus NetSupport HijackLoader CastleLoader Amatera Stealer An unknown Rust-based infostealer. According to the Malwarebytes report, these campaigns follow multiple ways of targeting victims such as showing fake Google reCAPTCHA pages, Cloudflare-style verification checks, warnings about unauthorized Google logins, and Google Meet prompts claiming an audio driver needed fixing. Google Meet ClickFix lure (Image credit: Malwarebytes) Researchers also found a fake QR code service using the same tactic with a goal to convince the victim to follow technical instructions that ended with malicious code running through PowerShell or another command-line tool. Malwarebytes linked these campaigns by spotting several recurring patterns. Many of the PowerShell commands followed a similar structure; later-stage files were often unpacked into C:\ProgramData\Zooms, payloads were frequently hosted in Cloudflare R2 buckets, and several IP addresses were hosted by Dedik Services Limited. Some HTML responses contained only the word “hehe.” However, those indicators did not appear in every campaign, and the delivery setup changed over time. Some payloads came from direct IP addresses, while other pages used the IClickFix framework to display the command users were tricked into running. The campaigns were hosted across repurchased expired domains, Cloudflare Pages sites, compromised websites, and fake online services. Although the delivery methods varied, Malwarebytes found the same infrastructure being reused for very different payloads and infection chains. In one case, attackers abused Deno, a legitimate runtime for JavaScript and TypeScript, to load a PowerShell-based infostealer. The finding shows how the operators could change what was delivered without abandoning the ClickFix setup behind the campaigns. In one campaign, the attack went a step further with a trojanized version of Franz, the open-source messaging app. The modified application contacted an attacker-controlled server and downloaded files used for DLL hijacking. Malwarebytes named the next-stage loader “ResiLoader” after discovering the string “resiloader 1” in one of the campaign files. Once active, ResiLoader used a vulnerable OPSWAT AppRemover driver to terminate more than 140 processes associated with antivirus and endpoint detection products. The .NET NativeAOT loader also attempted a UAC bypass, added persistence under a folder named Google Update, and used process hollowing to run StealC inside ServiceModelReg.exe. StealC is capable of harvesting sensitive data from web browsers, cryptocurrency wallets, messaging apps, email clients, and gaming platforms. Microsoft describes it as a malware-as-a-service offering that enables cybercriminals to build customized payloads and manage stolen data. The technique has been particularly effective because it disguises the attack as a routine security check and tricks users into launching the infection themselves. Microsoft reported that its researchers observed ClickFix attacks affecting thousands of devices each month in early 2025, including systems protected by endpoint detection and response software. As a general rule, any website that instructs you to open PowerShell, Command Prompt, Windows Run, or a terminal and paste a command should be considered malicious. Legitimate Google or Cloudflare verification pages never require users to perform those steps. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts ClickFixCloudFlareCyber AttackCybersecurityGoogleMalware Leave a Reply Cancel reply View Comments (0) Related Posts Security Phishing Scam New Unicode QR Code Phishing Scam Bypasses Traditional Security Cybercriminals are exploiting Unicode QR codes in a new wave of phishing attacks. This sophisticated technique bypasses traditional… byDeeba Ahmed Security You are not alone; YouTube is down for everyone (Updated) If you are wondering what’s happening with YouTube then you are not alone, the video-sharing website is… byCarolina Security Anonymously Access Wi-Fi Located Up To 2.5 Miles Away Using This Device In this era of government surveillance, remaining anonymous has become next to impossible for every Internet user. There… byFarzan Hussain Hacking News Security Bitfinex Exchange Hacked; $70 Million Worth of Bitcoin Stolen Bitfinex Bitcoin Exchange has suffered a massive data breach where $70 Million worth of Bitcoin have been stolen!… byAgan Uzunovic
Indicators of Compromise
- malware — StealC
- malware — Remus
- malware — NetSupport
- malware — HijackLoader
- malware — CastleLoader
- malware — Amatera Stealer
- malware — ResiLoader