While looking for phishing sites, I came across a suspicious Cloudflare Pages site hosted at:
hxxps://zipsage.pages[.]dev
The site presents itself as an “Adobe Activation Guide” and instructs users to manually execute a PowerShell command, a technique commonly associated with ClickFix malware delivery.
Fake Adobe Activation Page
The landing page attempts to socially engineer users into copying and executing a malicious PowerShell command under the pretense of activating Adobe software.
The page instructs users to execute the following command:
The Base64-decoded command is:
This uses Invoke-RestMethod (irm) to download a remote PowerShell script and immediately execute it in memory using Invoke-Expression (iex).
PowerShell Stage
The retrieved PowerShell script downloads and launches a JavaScript file from the same infrastructure.
Script.ps1:
The script downloads script.js into the temporary directory and executes it silently using wscript.exe.
JavaScript Downloader
The downloaded JavaScript file is heavily obfuscated and acts as a downloader/dropper.
The script downloads:
hxxps://get-1o8.pages[.]dev/putty.exe
The payload is stored as:
%TEMP%\putty.exe
Behavior observed from the JavaScript:
Downloads putty.exe
Executes the file
Waits for execution to finish
Deletes the payload afterward
Deletes the script itself
This cleanup behavior likely attempts to reduce forensic evidence on infected systems.
Lumma Stealer Network Activity
During execution, the sample generated multiple DNS and HTTP requests associated with Lumma Stealer infrastructure.
Recently, I came across another ClickFix-style campaign pretending to install a Chrome security update. The campaign was hosted on:
teams-net-calls[.]com
The site impersonates a legitimate Microsoft Teams download page and attempts to trick users into manually executing a malicious PowerShell command under the guise of installing a browser security update.
When accessing the site, the victim initially sees what appears to be a legitimate Microsoft Teams download page. The page itself looks clean and convincing, using Microsoft branding and a fake Teams download interface.
However, the malicious behavior does not trigger immediately. The ClickFix flow is activated only after the user interacts with the page by clicking somewhere on it. After the click, the site displays a fake Chrome update popup claiming that a critical browser security update is required.
Requiring user interaction before displaying the malicious prompt may help the campaign avoid automated sandbox analysis and reduce detection by security crawlers that do not fully interact with page elements.
The popup then walks the user through a series of steps instructing them to manually execute a PowerShell command:
Press Win + X
Open PowerShell / Terminal
Paste the copied command
Press Enter
This social engineering approach avoids traditional browser download warnings because the victim manually executes the payload themselves.
After following the instructions, the victim ends up executing the following PowerShell command:
At first glance, the script looks somewhat harmless because it downloads a legitimate old Node.js package directly from the official Node.js website:
However, the second downloaded archive reveals the actual payload:
hxxps://instantwebupdate[.]com/get_update?i=77669
The script extracts both archives into:
C:\ProgramData\
and silently launches:
using hidden PowerShell execution flags such as:
-ExecutionPolicy Bypass -WindowStyle Hidden
The JavaScript payload itself is interesting because it uses a large fake “poem” style wordlist to hide embedded files. Instead of storing binaries directly, the malware reconstructs files from mapped words and writes them to disk during execution.
The bundled DLLs (msvcp140.dll, vcruntime140.dll, and vcruntime140_1.dll) appear to be legitimate Visual C++ runtime dependencies rather than standalone malicious DLLs. They were likely included to ensure the dropped executable runs properly on victim systems.
At the time of analysis, no obvious C2 URLs were identified inside the EXE itself. Most visible URLs were related to Microsoft or DigiCert certificate infrastructure.
While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. These pages act as intermediate redirectors, sending victims to a wide variety of phishing and scam sites hosted primarily on the .autos TLD.
What is interesting is that a single Google Cloud Storage page appears to function as a central redirect hub, distributing victims across multiple scam themes such as fake surveys, reward scams, antivirus alerts, job offers, and account storage warnings.
Newly Observed Google Cloud Storage URLs
The following URLs were identified during the investigation:
These pages typically present users with messages claiming they have been selected for a Netflix reward or promotional giveaway, encouraging them to complete a short survey to claim their prize.
Like the other scams in this campaign, the pages ultimately attempt to collect personal or payment information, often under the pretext of paying a small shipping fee or verifying eligibility.
Fake Dell Laptop Giveaway Survey
Another variation promotes a Dell laptop giveaway, typically claiming that users can win a Dell 16 DC16250 laptop worth $699.99.
During testing, this page was observed redirecting users to multiple phishing domains across different scam themes.
This suggests it is functioning as a traffic distribution or redirect infrastructure, allowing attackers to rotate phishing destinations while keeping the initial delivery URL stable.
Using Google Cloud Storage also adds a layer of trust, as the domain belongs to a legitimate cloud provider.
Another interesting observation is that a single .autos domain can serve multiple phishing page themes after redirection from the Google Cloud Storage page. Depending on the redirection path or parameters, the same domain may host different scams such as:
Fake surveys
Reward scams
Storage full alerts
Antivirus subscription warnings
Job offer lures
This behavior indicates that the attackers are likely using a shared phishing kit or centralized backend infrastructure, allowing them to quickly rotate scam themes while reusing the same domains.
Another observation is the high volume of phishing emails currently being distributed using this infrastructure. Over the past few days, I have been receiving around 40–50 phishing emails within a 24-hour period, many of which contain links to Google Cloud Storage pages that act as redirectors to the phishing ecosystem described in this report.
This campaign demonstrates how attackers continue to abuse trusted cloud infrastructure such as Google Cloud Storage to host redirectors that distribute victims to multiple phishing pages.
By using legitimate cloud services as part of the attack chain, threat actors can increase credibility and reduce the likelihood of immediate blocking.
The use of large numbers of disposable .autos domains further allows attackers to rotate phishing pages frequently while keeping the delivery infrastructure intact.
In addition, the system appears to restrict repeated access attempts from the same IP address. After a user successfully reaches a phishing page through the redirector, subsequent attempts to access similar URLs from the same IP may result in the page failing to load or redirecting to unrelated sites. This behavior suggests the presence of IP-based filtering or traffic distribution logic, commonly used in malicious traffic distribution systems (TDS) to control how often a visitor can access the phishing infrastructure.
In recent weeks, a highly organized phishing campaign has surfaced, characterized by its use of legitimate Google infrastructure to bypass standard security filters. I have identified more than 25 distinct phishing emails targeting a single account, all of which ultimately direct users to a specific URL:
The URL in question is hosted on Google Cloud Storage (GCS). To the average user or basic email security gateway, the domain googleapis.com appears trustworthy because it is a legitimate Google-owned domain used for hosting cloud assets.
In this specific exploit:
The Bucket: whilewait is a unique storage container created by the attacker within a Google Cloud project.
The Payload: comessuccess.html is a script-heavy file designed to act as a “gatekeeper” or “redirector“.
By hosting the initial link on Google’s servers, the attackers ensure the email passes authentication checks like SPF and DKIM. Once a user clicks, the HTML file on Google’s server silently redirects the browser to a third-party malicious site, often used for credit card harvesting or malware distribution.
Diversity of Social Engineering Tactics
More than 25 emails captured in this study demonstrate an exhaustive range of “hooks” designed to appeal to different psychological triggers. While the underlying technical path is identical, the presentation varies wildly:
Security Fears: Alerts regarding a “Critical Threat Detected” or “Antivirus Protection Expired“.
Retail Incentives: Reward offers from brands such as Lowe’s, T-Mobile, and State Farm.
Lifestyle & Health: Promotions for “Homemade Recipes“, “Harry & David Gift Baskets“, “Blood Sugar Watch” or “Neuropathy Pain” solutions.
Despite these different themes, the goal remains consistent, drive traffic to the whilewait storage bucket to initiate a fraudulent transaction or steal sensitive information.
The Final Objective: Credit Card Harvesting
Following the redirect from the Google Cloud link, users are typically presented with a “shipping fee” or “service charge” for their reward or security update. This is the Credit Card (CC) Harvesting phase. Any payment information entered on these secondary sites is captured by the attackers, leading to immediate financial fraud. This specific lure mirrors the tactics identified in recent threat research (link given below), where scareware emails are increasingly used to push users toward these fraudulent “subscription” or “service” portals.
To defend against this specific style of “Trusted-Platform Phishing“, the following steps are recommended:
Inspect the Redirect Path: Be aware that a link starting with storage.googleapis.com is not an official communication from Google, it is a file hosted by a third party using Google’s tools.
Verify Sender Metadata: Even if the link looks legitimate, the “From” address in these 25 plus samples often consists of unrelated, randomized alphanumeric strings.
Submit Infrastructure Abuse Reports: These campaigns rely on the longevity of the storage bucket. Reporting the whilewaitbucket to the Google Cloud Abuse Team is the most effective way to dismantle the entire 25 plus email network at once.
I recently came across a phishing campaign impersonating the Yoroi Desktop Wallet, targeting cryptocurrency users with what looked like a legitimate upgrade.
The email itself was clean and well-written. It talked about improved security, hardware wallet support, and even AI-based scam detection. Nothing immediately stood out as suspicious. The landing page looked polished too, with proper branding and a familiar layout.
The Setup
The phishing email redirects users to a domain:
hxxps://download[.]v1desktop-yoroiwallet[.]com/
the domain was recently registered (Feb 2026), yet it was already indexed on Google, meaning users could also land on it via search results, not just email.
The Download That Isn’t a Wallet
The site promotes a “Yoroi Desktop” download, but instead of hosting anything legitimate, it redirects to a file-sharing service and delivers an MSI file:
Once executed, the system is quietly enrolled into a remote access setup. There’s no obvious warning, no suspicious pop-ups, just a legitimate tool being used in the wrong way.
Looking at the configuration reveals what’s happening behind the scenes:
This isn’t random. It shows the machine is being registered into a pre-configured remote access fleet, controlled by whoever owns that GoTo Resolve tenant.
At this point, the attacker doesn’t need to trick the user anymore. They already have what they need, persistent access to the device.
One thing that stands out across both campaigns is how the payload is delivered.
In all cases, the final MSI files are not hosted directly on the phishing domains. Instead, the sites redirect users to gofile[.]io, a legitimate file-sharing service, to download the installer.
This adds another layer of evasion. Hosting the MSI on a legitimate service like gofile makes it harder to block and also reduces suspicion from users, since the download doesn’t come directly from the phishing domain.
While digging further into this, I also noticed that the MSI files are hosted across multiple gofile storage endpoints such as:
store-na-phx-[1/4/5].gofile.io/download/direct/
Changing the server index (for example, 1, 4, or 5) reveals similar download paths hosting MSI files that follow the same theme, crypto wallet installers that actually deploy RMM tools.
Combined with the use of legitimate tools like GoTo Resolve (LogMeIn) and delivery through trusted file-sharing services, the overall chain appears clean on the surface but ultimately leads to full remote access.
