HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Fake Google & Cloudflare Verification Pages Trick Users into Running Malicious PowerShell Commands

Attackers impersonate Google and Cloudflare verification pages to convince victims to paste PowerShell commands that install credential‑stealing malware. The scenario highlights gaps in security‑awareness training and the need for SOC 2‑aligned monitoring of command execution.

LiveThreat™ Intelligence · 📅 July 03, 2026· 📰 malwarebytes.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
malwarebytes.com

Fake Google & Cloudflare Verification Pages Trick Users into Running Malicious PowerShell Commands

What Happened — A new “ClickFix” campaign impersonates Google and Cloudflare verification pages, prompting victims to copy‑paste PowerShell commands that download a suite of malware families (HijackLoader, StealC, Remus, etc.). The chain often starts with a trojanized Franz messenger app that drops a custom loader (ResiLoader) which disables security tools before installing the StealC infostealer.

Why It Matters for Compliance & Audit Readiness

  • The attack exploits the human element, directly challenging the SOC 2 Common Criteria 5 – Security control that requires documented security‑awareness training and periodic testing of user behavior.
  • Successful ClickFix infections generate credential theft and remote‑access capabilities, creating evidence gaps that auditors will probe under CC5.1 – Logical Access Controls and CC5.2 – Monitoring.
  • Continuous monitoring of user‑initiated command execution (e.g., PowerShell logging) provides the audit‑ready logs needed to demonstrate that “unauthorized command execution” controls are operating effectively.

Who Is Affected – Any organization whose employees browse the web or use messaging apps on Windows workstations, spanning technology SaaS, financial services, healthcare, and education sectors.

Recommended Actions

  • Map the incident to SOC 2 CC5.1 (access control) and CC5.2 (monitoring) controls; verify that PowerShell script logging is enabled and retained per policy.
  • Conduct a targeted security‑awareness refresher covering “fake verification pages” and the prohibition on copying commands from untrusted sites.
  • Deploy endpoint detection that blocks unknown PowerShell execution and validates script signatures.

Technical Notes – The campaign uses PowerShell ClickFix commands, Cloudflare R2 buckets for payload delivery, and a persistent folder C:\ProgramData\Zooms. Payloads include HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust‑based stealer. Source: Malwarebytes Labs

📰 Original Source
https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-cloudflare-verification-pages-spread-multiple-malware-families

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →