A new, highly sophisticated malware campaign has been identified targeting remote workers and organizations through a fake Google Meet landing page.<\/p>\n
Hosted on the deceptive domain gogl-meet[.]com, this attack leverages the \u201cClickFix<\/a>\u201d social engineering technique to bypass traditional browser security controls and deliver a Remote Access Trojan (RAT) directly to the victim\u2019s system.<\/p>\n The attack begins when a user navigates to the fraudulent site, which is visually indistinguishable from the legitimate Google Meet interface. Instead of a video feed, the user is interrupted by a pop-up error message, typically claiming a camera or microphone issue titled \u201cCan\u2019t join the meeting.\u201d<\/p>\n Unlike standard phishing that asks for credentials, this page offers a technical \u201cfix\u201d that requires physical user interaction. The prompt instructs the victim to perform a specific sequence of keystrokes: Press the Windows key + R, then CTRL + V, and finally Enter.<\/p>\n Unbeknownst to the user, clicking the \u201cJoin now\u201d or \u201cFix\u201d button on the page triggers a JavaScript function that copies a malicious PowerShell script to their clipboard.<\/p>\n By following the manual keystroke instructions, the user unwittingly pastes and executes this script via the Windows Run dialog, effectively bypassing browser-based security filters such as Google Safe Browsing<\/a> and SmartScreen.\u200b<\/p>\n Recent incident response activities involving gogl-meet[.]com have confirmed that this chain leads to a RAT infection. Forensic analysis of affected systems identified the infection\u2019s root cause through the Master File Table (MFT).<\/p>\n Specifically, the MFT entry for the dropped payload revealed critical origin data in its Alternative Data Stream (ADS), capturing both the ClickFix downloaded file and the referrer URL gogl-meet[.]com.<\/p>\n This forensic artifact is crucial for defenders, as it definitively links the execution of the RAT back to the browser-based social engineering<\/a> event rather than a typical drive-by download or email attachment.<\/p>\n A distinct characteristic of this wave is the obfuscation used within the PowerShell payload itself. Threat actors have begun padding the malicious script with extensive comments containing trusted visual symbols, such as repeated green check marks ( When a user pastes the content into the small Windows Run box, these symbols may be the only visible text, visually reassuring the victim that the command is \u201cverified\u201d or safe [memory].<\/p>\n This tactic also serves a technical purpose: it can push the actual malicious code (often an IEX download cradle) out of the immediate visible area of the dialog box, masking the script\u2019s true intent.<\/p>\n While ClickFix (also associated with clusters like ClearFake) gained significant traction throughout 2024, this latest iteration demonstrates a shift toward hyper-targeted branding.<\/p>\n Early campaigns impersonated generic browser updates or Word errors. Still, the shift to Google Meet simulation suggests a pivot toward targeting corporate environments where video conferencing glitches are a common, trusted friction point.\u200b<\/p>\n Security teams are advised to update detection rules to flag PowerShell execution strings originating from the Run dialog that contain unusual Unicode characters or extensive comment blocks, which are tell-tale signs of manual execution.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Beware of Weaponized Google Meet Page uses ClickFix Technique to Deliver Malicious Payload<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgtUHE-9Pr2t8qld8jygJYJX1mr0MBAy4mNgZSvcw3KdQrGeEdRVYbOkfxFq7TW7bOVo-mppbUqcPUVz9Sz5pomkz2bo-1-iHEkcdZS-9WiYGl4y9H00dHpQBi3wOwvDx8OTR98xELRUap4Yd1RRpgv1N51zG9vLVPz82YG5-xyEzZ2ydiVBoufrnmACrrU\/s16000\/Google%2520Meet%2520clickfix%2520page.webp?ssl=1\")
<\/figure>\nForensic Analysis and Indicators<\/strong><\/h2>\n
![\"\u2705\"](\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/16.0.1\/72x72\/2705.png?ssl=1\")
).<\/p>\n