ClickFix Scam Abuses Google, Cloudflare Checks to Deliver 7 Malware Families

ClickFix Scams Abuse Google, Cloudflare Checks to Deliver 7 Malware Families

Malwarebytes links fake Google and Cloudflare verification pages to shared ClickFix infrastructure delivering StealC, NetSupport and other malware.

Listen to this article

0:00

Press play to start listening

A page asking you to prove you are human can be the first step in a malware infection. Malwarebytes says multiple campaigns active since at least late 2025 have used fake Google and Cloudflare verification screens to trick visitors into copying and running malicious commands on their own computers.

These commands infect victims’ devices with multiple malware families, including:

According to the Malwarebytes report, these campaigns follow multiple ways of targeting victims such as showing fake Google reCAPTCHA pages, Cloudflare-style verification checks, warnings about unauthorized Google logins, and Google Meet prompts claiming an audio driver needed fixing.

ClickFix Scam Abuses Google, Cloudflare Checks to Deliver 7 Malware Families
Google Meet ClickFix lure (Image credit: Malwarebytes)

Researchers also found a fake QR code service using the same tactic with a goal to convince the victim to follow technical instructions that ended with malicious code running through PowerShell or another command-line tool.

Malwarebytes linked these campaigns by spotting several recurring patterns. Many of the PowerShell commands followed a similar structure; later-stage files were often unpacked into C:\ProgramData\Zooms, payloads were frequently hosted in Cloudflare R2 buckets, and several IP addresses were hosted by Dedik Services Limited. Some HTML responses contained only the word “hehe.”

However, those indicators did not appear in every campaign, and the delivery setup changed over time. Some payloads came from direct IP addresses, while other pages used the IClickFix framework to display the command users were tricked into running. The campaigns were hosted across repurchased expired domains, Cloudflare Pages sites, compromised websites, and fake online services.

Although the delivery methods varied, Malwarebytes found the same infrastructure being reused for very different payloads and infection chains. In one case, attackers abused Deno, a legitimate runtime for JavaScript and TypeScript, to load a PowerShell-based infostealer. The finding shows how the operators could change what was delivered without abandoning the ClickFix setup behind the campaigns.

In one campaign, the attack went a step further with a trojanized version of Franz, the open-source messaging app. The modified application contacted an attacker-controlled server and downloaded files used for DLL hijacking. Malwarebytes named the next-stage loader “ResiLoader” after discovering the string “resiloader 1” in one of the campaign files.

Once active, ResiLoader used a vulnerable OPSWAT AppRemover driver to terminate more than 140 processes associated with antivirus and endpoint detection products. The .NET NativeAOT loader also attempted a UAC bypass, added persistence under a folder named Google Update, and used process hollowing to run StealC inside ServiceModelReg.exe.

StealC is capable of harvesting sensitive data from web browsers, cryptocurrency wallets, messaging apps, email clients, and gaming platforms. Microsoft describes it as a malware-as-a-service offering that enables cybercriminals to build customized payloads and manage stolen data.

The technique has been particularly effective because it disguises the attack as a routine security check and tricks users into launching the infection themselves. Microsoft reported that its researchers observed ClickFix attacks affecting thousands of devices each month in early 2025, including systems protected by endpoint detection and response software.

ClickFix Scam Abuses Google, Cloudflare Checks to Deliver 7 Malware Families

As a general rule, any website that instructs you to open PowerShell, Command Prompt, Windows Run, or a terminal and paste a command should be considered malicious. Legitimate Google or Cloudflare verification pages never require users to perform those steps.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism.
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts