While looking for phishing sites, I came across a suspicious Cloudflare Pages site hosted at:
hxxps://zipsage.pages[.]dev
The site presents itself as an “Adobe Activation Guide” and instructs users to manually execute a PowerShell command, a technique commonly associated with ClickFix malware delivery.
Fake Adobe Activation Page
The landing page attempts to socially engineer users into copying and executing a malicious PowerShell command under the pretense of activating Adobe software.
The page instructs users to execute the following command:
The Base64-decoded command is:
This uses Invoke-RestMethod (irm) to download a remote PowerShell script and immediately execute it in memory using Invoke-Expression (iex).
PowerShell Stage
The retrieved PowerShell script downloads and launches a JavaScript file from the same infrastructure.
Script.ps1:
The script downloads script.js into the temporary directory and executes it silently using wscript.exe.
JavaScript Downloader
The downloaded JavaScript file is heavily obfuscated and acts as a downloader/dropper.
The script downloads:
hxxps://get-1o8.pages[.]dev/putty.exe
The payload is stored as:
%TEMP%\putty.exe
Behavior observed from the JavaScript:
Downloads putty.exe
Executes the file
Waits for execution to finish
Deletes the payload afterward
Deletes the script itself
This cleanup behavior likely attempts to reduce forensic evidence on infected systems.
Lumma Stealer Network Activity
During execution, the sample generated multiple DNS and HTTP requests associated with Lumma Stealer infrastructure.
Recently, I came across another ClickFix-style campaign pretending to install a Chrome security update. The campaign was hosted on:
teams-net-calls[.]com
The site impersonates a legitimate Microsoft Teams download page and attempts to trick users into manually executing a malicious PowerShell command under the guise of installing a browser security update.
When accessing the site, the victim initially sees what appears to be a legitimate Microsoft Teams download page. The page itself looks clean and convincing, using Microsoft branding and a fake Teams download interface.
However, the malicious behavior does not trigger immediately. The ClickFix flow is activated only after the user interacts with the page by clicking somewhere on it. After the click, the site displays a fake Chrome update popup claiming that a critical browser security update is required.
Requiring user interaction before displaying the malicious prompt may help the campaign avoid automated sandbox analysis and reduce detection by security crawlers that do not fully interact with page elements.
The popup then walks the user through a series of steps instructing them to manually execute a PowerShell command:
Press Win + X
Open PowerShell / Terminal
Paste the copied command
Press Enter
This social engineering approach avoids traditional browser download warnings because the victim manually executes the payload themselves.
After following the instructions, the victim ends up executing the following PowerShell command:
At first glance, the script looks somewhat harmless because it downloads a legitimate old Node.js package directly from the official Node.js website:
However, the second downloaded archive reveals the actual payload:
hxxps://instantwebupdate[.]com/get_update?i=77669
The script extracts both archives into:
C:\ProgramData\
and silently launches:
using hidden PowerShell execution flags such as:
-ExecutionPolicy Bypass -WindowStyle Hidden
The JavaScript payload itself is interesting because it uses a large fake “poem” style wordlist to hide embedded files. Instead of storing binaries directly, the malware reconstructs files from mapped words and writes them to disk during execution.
The bundled DLLs (msvcp140.dll, vcruntime140.dll, and vcruntime140_1.dll) appear to be legitimate Visual C++ runtime dependencies rather than standalone malicious DLLs. They were likely included to ensure the dropped executable runs properly on victim systems.
At the time of analysis, no obvious C2 URLs were identified inside the EXE itself. Most visible URLs were related to Microsoft or DigiCert certificate infrastructure.
While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. These pages act as intermediate redirectors, sending victims to a wide variety of phishing and scam sites hosted primarily on the .autos TLD.
What is interesting is that a single Google Cloud Storage page appears to function as a central redirect hub, distributing victims across multiple scam themes such as fake surveys, reward scams, antivirus alerts, job offers, and account storage warnings.
Newly Observed Google Cloud Storage URLs
The following URLs were identified during the investigation:
These pages typically present users with messages claiming they have been selected for a Netflix reward or promotional giveaway, encouraging them to complete a short survey to claim their prize.
Like the other scams in this campaign, the pages ultimately attempt to collect personal or payment information, often under the pretext of paying a small shipping fee or verifying eligibility.
Fake Dell Laptop Giveaway Survey
Another variation promotes a Dell laptop giveaway, typically claiming that users can win a Dell 16 DC16250 laptop worth $699.99.
During testing, this page was observed redirecting users to multiple phishing domains across different scam themes.
This suggests it is functioning as a traffic distribution or redirect infrastructure, allowing attackers to rotate phishing destinations while keeping the initial delivery URL stable.
Using Google Cloud Storage also adds a layer of trust, as the domain belongs to a legitimate cloud provider.
Another interesting observation is that a single .autos domain can serve multiple phishing page themes after redirection from the Google Cloud Storage page. Depending on the redirection path or parameters, the same domain may host different scams such as:
Fake surveys
Reward scams
Storage full alerts
Antivirus subscription warnings
Job offer lures
This behavior indicates that the attackers are likely using a shared phishing kit or centralized backend infrastructure, allowing them to quickly rotate scam themes while reusing the same domains.
Another observation is the high volume of phishing emails currently being distributed using this infrastructure. Over the past few days, I have been receiving around 40–50 phishing emails within a 24-hour period, many of which contain links to Google Cloud Storage pages that act as redirectors to the phishing ecosystem described in this report.
This campaign demonstrates how attackers continue to abuse trusted cloud infrastructure such as Google Cloud Storage to host redirectors that distribute victims to multiple phishing pages.
By using legitimate cloud services as part of the attack chain, threat actors can increase credibility and reduce the likelihood of immediate blocking.
The use of large numbers of disposable .autos domains further allows attackers to rotate phishing pages frequently while keeping the delivery infrastructure intact.
In addition, the system appears to restrict repeated access attempts from the same IP address. After a user successfully reaches a phishing page through the redirector, subsequent attempts to access similar URLs from the same IP may result in the page failing to load or redirecting to unrelated sites. This behavior suggests the presence of IP-based filtering or traffic distribution logic, commonly used in malicious traffic distribution systems (TDS) to control how often a visitor can access the phishing infrastructure.
While reviewing historical scans on URLScan, I came across a VPN-themed website hosted on Cloudflare Pages
hxxps://fast-ray-vpn.pages.dev/
At first glance, the site looks like a harmless VPN review blog. It features clean formatting, long-form written content, fake ratings, and well-structured download sections. Nothing immediately stands out as malicious, which is likely why the site has remained accessible for months.
What makes this case notable is that URLScan shows this domain has been publicly reachable for at least eight months, with multiple scans recorded over time. This is not a short lived phishing page or a throwaway redirect, it appears to be stable infrastructure.
A Convincing VPN Review That Builds False Trust
The landing page presents itself as a review article titled “Fast Ray VPN Review: Secure & Fast Mobile VPN?”. It includes a star rating of 4.8, all designed to look credible.
Download Links That Don’t Deliver a VPN
Near the bottom of the page, two links are presented as:
“Download via Link 1” “Download via Link 2”
Clicking either of these does not lead to an app store, an official vendor site, or even a branded installer page. Instead, users are redirected to a third-party domain:
hxxps://normallydemandedalter[.]com
The URLs include long query strings with tracking keys, strongly suggesting affiliate or traffic broker infrastructure rather than software hosting.
In many cases, the redirect lands on a generic page stating
“Your File Download Is Ready!”
There is no mention of a VPN, no vendor name, no file hash, and no explanation of what is about to be downloaded.
As shown in the above screenshot, one such redirect path leads to insecthoney[.]xyz, where clicking the download button results in OperaSetup.exe being delivered. While Opera itself is legitimate software, the context is deceptive. Users are led to believe they are downloading a VPN client, but instead receive an unrelated browser installer distributed.
This OperaSetup.exe is getting delivered through below domains:
insecthoney[.]xyz
valueeye[.]xyz
Pixelsee PUA Delivered Through One Redirect Path
During sandbox testing, both redirect paths associated with the two download links were observed delivering a PUA payload, including the Pixelsee sample previously referenced. However, the behavior was not consistent. The same URLs did not always result in a file download and, in several cases, redirected to unrelated advertising or affiliate destinations instead. This indicates that payload delivery is randomized or condition-based, likely controlled by backend traffic distribution logic rather than being tied to a single fixed URL.
That file is already flagged on VirusTotal and detected as Pixelsee PUA. The Pixelsee site itself again presents a clean, minimal download page with a prominent “Download” button and almost no transparency about the software’s purpose.
Revisiting the same download URLs does not consistently result in the same behavior.
In multiple attempts, instead of receiving a file, the browser was redirected to completely unrelated destinations, including:
TikTok video pages
XM trading platform landing pages
Ad-related sites such as adzilla/.meme
Adult-themed click-through domains like best-girls-around/.com
This inconsistency strongly indicates the use of a traffic distribution system (TDS). Depending on conditions such as IP reputation.
VPN and Sandbox Detection Blocking Visibility
When accessing normallydemandedalter[.]com through a VPN or sandbox environment, the site responds with a simple message
“Anonymous Proxy detected.”
Once this message appears, no further redirects or downloads occur. This behavior effectively blocks
VPN users
Cloud-based sandboxes
Automated analysis systems
This explains why the site can remain live for months while still evading deeper inspection. The actual payload delivery only happens when the visitor appears to be a “real” user.
Visibility in Google Search Results
An additional point worth highlighting is that the Fast Ray VPN site is not buried or obscure. A simple Google search for “fast ray vpn” currently surfaces the Cloudflare Pages site within the top search results, appearing alongside legitimate Google Play and Apple App Store listings. This positioning significantly increases the likelihood of real users landing on the page organically, especially those searching for a VPN by name and expecting an official or review-based result. Combined with the site’s long uptime and clean presentation, this search visibility further amplifies its effectiveness as a traffic funnel.
Indicators of Compromise (IOCs)
The following indicators were observed during hands-on analysis and sandbox testing. They are linked to a deceptive VPN-themed page that redirects users through third-party infrastructure and, in some cases, delivers potentially unwanted applications. The redirects do not behave consistently. Sometimes a file is downloaded, other times users are sent to unrelated advertising or affiliate pages. This kind of behavior suggests traffic is being routed and monetized dynamically rather than through a single, fixed download path.
The Fast Ray VPN site is not a legitimate VPN service and not a genuine review platform. It functions as a persistent traffic lure, redirecting users into affiliate and PUA distribution chains while actively blocking VPNs and sandboxes.
Its long lifespan suggests an effective design that prioritizes persistence and user reach while avoiding signals that typically lead to rapid takedown.
During analysis of a phishing URL chain, I observed a fake Cloudflare Turnstile verification page acting as an intelligent traffic filtering gate. Rather than protecting a website, this page selectively blocks, redirects, or allows access based on geolocation, proxy usage, and browser fingerprinting.
This phishing infrastructure demonstrates Traffic Distribution System like behavior commonly used in modern phishing and scam operations to evade security researchers, sandboxes, and automated crawlers while delivering payloads only to high-confidence victims.
Redirection Chain
The Cloudflare page is not legitimate and does not load any official Turnstile JavaScript. Instead, it is a static imitation combined with heavy client side fingerprinting.
Fake Cloudflare Verification Page
The landing page is designed to closely mimic a legitimate Cloudflare interstitial, creating a false sense of trust for the victim. It displays the French language title “Un instant…“, along with Cloudflare style branding and logos to appear authentic. A fake human verification checkbox labeled “Vérifiezque vous êtes humain” is presented, imitating Cloudflare’s Turnstile challenge, despite performing no real validation. The page also shows a fabricated Ray ID, a detail commonly associated with genuine Cloudflare error or verification pages. To further reinforce legitimacy, the attackers include links pointing to real Cloudflare policy and documentation pages, a tactic intended to reduce suspicion and bypass casual scrutiny by users and automated scanners alike.
However, no real Turnstile challenge exists. All logic is client side JavaScript + server side decision APIs, not Cloudflare infrastructure.
Browser Fingerprinting & Bot Detection
Once the page loads, the script silently collects a detailed browser fingerprint, including:
Using Fiddler with different exit locations, the server’s decision engine responses were captured. These responses clearly show country based blocking and proxy detection logic.
This confirms explicit detection of hosting providers, VPNs, and proxy infrastructure, even when traffic originates from France.
Decoy Redirect Behavior
If a visitor is classified as blocked or suspicious, the page redirects to:
hxxps://www.mediapart.fr
This serves multiple purposes:
Makes the site appear benign during casual inspection
Misleads analysts and automated scanners
Prevents security tools from accessing the real phishing content
Only approved traffic (likely residential French IPs, real browsers) proceeds to the malicious landing page.
Why France?
Several indicators strongly suggest that this phishing infrastructure is specifically oriented toward French users. The landing page content and interface are fully localized in French (fr_FR), indicating deliberate language targeting rather than generic reuse. Access behavior appears to follow a country based allow list model, where visitors from non-French regions are blocked or redirected. When access conditions are not met, the site redirects to a well-known French news outlet as a decoy, helping the infrastructure appear benign during casual checks. Additionally, all CAPTCHA elements and user interface text are presented entirely in French, reinforcing the assessment that this setup is designed to blend seamlessly into a French browsing context and evade suspicion among local users.
Infrastructure Observations
Both domains involved in the redirect chain were newly registered on 2026-01-06.
Detection And Hunting Notes
Defenders should look for:
Fake Cloudflare Turnstile pages without official Cloudflare JS
Hidden honeypot form fields
/collect_info.php or /dashboard.php?action=visit patterns
Conditional redirects to legitimate news sites
Different behavior between residential vs proxy IPs
Confirmed malicious phishing traffic distribution system.
This is not a Cloudflare protection page. It is aselective traffic gate designed to evade analysis and deliver phishing content only to real victims.
