A new phishing campaign has been discovered using a fake Google Meet page to trick users into executing a malicious PowerShell command. This self-contained HTML file mimics the Google Meet interface and displays a fake “Microphone Permission Denied” error, prompting users to fix it by pasting a PowerShell command copied to their clipboard.
Key Details
The fake page doesn’t steal credentials but relies on social engineering to make users manually run a malicious command in PowerShell.
The command downloads a PowerShell-based RAT (remote access trojan) script disguised as a file called XR.txt.
The RAT further installs a batch script named noanti-vm.bat, which uses string slicing and obfuscation techniques to evade detection and enable remote control over the victim’s system.
This attack is particularly dangerous because it;
Is fully self-contained (no external script dependencies),
Looks legitimate on casual inspection,
And manipulates users through deceptive interface design.
Impact of this Attack
Running the command can result in full system compromise, data theft, or malware installation, all without exploiting browser vulnerabilities; just human trust.
Recommendations
Users are advised to perform regular malware scans and website audits.
Always keep all software (CMS, plugins, themes) updated.
Enforce strong credentials and two-factor authentication.
Sanitize user input to prevent injections.
Deploy a Web Application Firewall (WAF) for extra protection.