Fake Google Meet Page Tricks Users into Running Malware

A deceptively crafted fake Google Meet page has surfaced on compromised WordPress sites, tricking unsuspecting visitors into manually executing PowerShell commands that unleash remote access malware. First uncovered by Puja Srivastava, Security Analyst at Sucuri, this threat demonstrates a troubling new trend in social engineering attacks: malicious command injection by human hands.

“This phishing page is crafted to manipulate human behavior, not browser behavior,” Srivastava warns. “The attacker isn’t stealing passwords through fake forms. Instead, they rely on the user to run a PowerShell script.”

The attack was initially discovered after a Sucuri customer noticed strange URLs and visitor complaints about odd prompts on their WordPress site. Upon deeper investigation, analysts found an HTML file posing as a legitimate Google Meet page, but with a sinister twist — instead of stealing credentials, it prompts users with a fake error modal claiming:

“Microphone permission denied.”

To resolve this fake issue, users are told to copy and paste a PowerShell command into their system terminal — a clever manipulation disguised as a technical fix.

The HTML page is self-contained, with no external scripts, Google resources, or analytics — making it exceptionally stealthy.

“What makes this fake Google Meet file more dangerous than many we’ve seen is its self-contained nature… The attacker knew what they were doing,” Srivastava notes.

The interface includes:

• A “Join Now” button
• A fake error popup
• A “Try Fix” button that copies a PowerShell command to the user’s clipboard
• Step-by-step instructions to launch PowerShell and run the code

When executed, the PowerShell command downloads an obfuscated payload (XR.txt) directly from the infected site. This script:

• Shows a “Verification Complete!” dialog as a decoy
• Uses XOR obfuscation to decode a hidden command
• Executes a remote access tool (noanti-vm.bat) into the AppData folder

The final payload — a Trojanized batch file — uses string slicing and environment variable tricks to dynamically construct and run malicious commands while evading detection.

“The noanti-vm.bat file is a heavily obfuscated Windows batch script… detected as Trojan or RAT on VirusTotal.”

This attack leverages human behavior, not browser exploits. The attacker’s goal is simple: gain system access by convincing users to willingly execute malware under the pretense of troubleshooting.

Srivastava explains:

“The attackers are betting on the users trust and their desire to quickly resolve a perceived technical issue.”

By mimicking a known interface and simulating a relatable problem (mic access), the attacker weaponizes trust and a user’s desire for quick fixes.

This fake Google Meet phishing tactic showcases how attackers are evolving — blending design precision, technical manipulation, and psychological insight to create incredibly effective traps.

As Srivastava puts it:

“By understanding the mechanics of this attack and remaining vigilant, we can significantly reduce the risk of falling victim to this dangerous deception.”

Related Posts:

• Stealthy Malware Hides in WordPress Database, Steals Payment Data
• PHP Reinfector Malware Wreaks Havoc on WordPress Sites
• Blackout Mode: Microsoft Teams to Block Screenshots in Meetings
• Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers