Threat actors are exploiting counterfeit Google Meet web pages as part of a malware campaign known as ClickFix to deliver infostealers targeting both Windows and macOS systems.
According to a report from French cybersecurity firm Sekoia, these attacks involve fake error messages in web browsers designed to trick users into copying and executing malicious PowerShell commands, ultimately infecting their systems.
The ClickFix campaign, also referred to as ClearFake and OneDrive Pastejacking, has been reported frequently in recent months. Threat actors are employing various lures to redirect users to fake pages that urge them to run encoded PowerShell code to fix a supposed issue with their browser.
These deceptive pages often impersonate popular online services, including Facebook, Google Chrome, PDFSimpli, reCAPTCHA, and now Google Meet, as well as Zoom. Some known fake URLs include:
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
- googiedrivers[.]com
- us01web-zoom[.]us
- us002webzoom[.]us
- web05-zoom[.]us
- webroom-zoom[.]us
For Windows users, the attack results in the deployment of the StealC and Rhadamanthys stealers. In contrast, macOS users are tricked into downloading a malicious disk image file (“Launcher_v1.94.dmg”) that installs another stealer known as Atomic.
This emerging social engineering tactic is particularly concerning as it effectively circumvents detection by security tools. Users are misled into manually executing the harmful PowerShell command, rather than having it automatically run via a downloaded payload.
Sekoia has linked the impersonation of Google Meet to two trafficking groups: Slavic Nation Empire (also known as Slavice Nation Land) and Scamquerteo, which are sub-teams within the markopolo and CryptoLove operations, respectively. The report indicates that both groups utilize the same ClickFix template to impersonate Google Meet, suggesting they share resources and infrastructure.
This raises the possibility that the groups might be utilizing an unidentified cybercrime service managed by a third party.
The situation unfolds amid the rise of malware campaigns distributing the open-source ThunderKitty stealer, which shares characteristics with Skuld and Kematian Stealer, alongside newly emerging stealer families like Divulge, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.
Hudson Rock, a cybersecurity company, highlighted back in July 2024 that “the rise of open-source infostealers represents a significant shift in the world of cyber threats.” These tools lower barriers to entry and encourage rapid innovation, potentially fueling a new wave of infections and increasing risks for businesses and individuals alike.
Follow Latest Hacker News for regular updates!!!