Fake Google & Cloudflare Verification Pages Trick Users into Running Malicious PowerShell Commands
What Happened — A new “ClickFix” campaign impersonates Google and Cloudflare verification pages, prompting victims to copy‑paste PowerShell commands that download a suite of malware families (HijackLoader, StealC, Remus, etc.). The chain often starts with a trojanized Franz messenger app that drops a custom loader (ResiLoader) which disables security tools before installing the StealC infostealer.
Why It Matters for Compliance & Audit Readiness
- The attack exploits the human element, directly challenging the SOC 2 Common Criteria 5 – Security control that requires documented security‑awareness training and periodic testing of user behavior.
- Successful ClickFix infections generate credential theft and remote‑access capabilities, creating evidence gaps that auditors will probe under CC5.1 – Logical Access Controls and CC5.2 – Monitoring.
- Continuous monitoring of user‑initiated command execution (e.g., PowerShell logging) provides the audit‑ready logs needed to demonstrate that “unauthorized command execution” controls are operating effectively.
Who Is Affected – Any organization whose employees browse the web or use messaging apps on Windows workstations, spanning technology SaaS, financial services, healthcare, and education sectors.
Recommended Actions
- Map the incident to SOC 2 CC5.1 (access control) and CC5.2 (monitoring) controls; verify that PowerShell script logging is enabled and retained per policy.
- Conduct a targeted security‑awareness refresher covering “fake verification pages” and the prohibition on copying commands from untrusted sites.
- Deploy endpoint detection that blocks unknown PowerShell execution and validates script signatures.
Technical Notes – The campaign uses PowerShell ClickFix commands, Cloudflare R2 buckets for payload delivery, and a persistent folder C:\ProgramData\Zooms. Payloads include HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust‑based stealer. Source: Malwarebytes Labs