Post

Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families

Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families

🚨 Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families

Source: Malwarebytes
Date Published: July 2, 2026

ClickFix attacks, which trick people into running malicious commands themselves, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices. A single mistake can install malware that steals passwords and other sensitive data, gives attackers remote access to your computer, or downloads additional malware that can take full control of your system.

We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer. In one infection chain, a trojanized version of the legitimate Franz messaging app downloads a previously undocumented loader dubbed ResiLoader, which disables security software before deploying the StealC infostealer.

The campaigns analyzed in this research have been active since at least late 2025 and use a variety of fake Google and Cloudflare pages to deliver malware. Although the lures differ, they share much of the same infrastructure and infection chain, with the attackers continually testing new delivery methods and payloads. Most of the campaigns share several characteristics, including the use of the folder C:\ProgramData\Zooms to extract later stages, PowerShell ClickFix commands that follow similar patterns, and the use of Cloudflare R2 buckets to deliver payloads.

To avoid becoming the next victim, never copy and run commands from a website unless you’re following instructions from a trusted source and understand exactly what the command does. Be wary of verification pages; Google, Cloudflare, Microsoft, and other legitimate services will never ask you to paste PowerShell commands into Windows to prove you’re human or fix a problem. Additionally, don’t let urgency rush you, keep your security software up to date, and question unexpected technical instructions.

Read full article

This post is licensed under CC BY 4.0 by the author.