A new phishing campaign has emerged that cleverly mimics a Google Meet interface to trick users into infecting their own systems, as discovered by a Security Analyst. This attack does not follow the usual playbook of stealing passwords through fake login pages. Instead, it manipulates users into manually copying and pasting a malicious PowerShell command into their own terminal, effectively bypassing traditional browser security and directly inviting malware into their system.

The fake page is hosted on compromised WordPress sites and appears as a standard Google Meet interface. However, once the user attempts to “join” a meeting, a fake error appears stating that the microphone permission was denied. To “fix” the problem, users are given clear instructions to launch PowerShell and execute a provided script supposedly to resolve the issue. The command, when run, silently downloads an obfuscated payload from the same compromised website. This script then pretends to show a successful verification message while it secretly executes a Trojanized batch file designed to provide the attacker with remote access.

What makes this attack particularly dangerous is its stealth. The fake Meet page is completely self-contained no external scripts, Google APIs, or analytics making it very difficult to detect through standard website scanning. The page includes a “Join Now” button, a fake error popup, and a “Try Fix” button that automatically copies the malicious command. The final payload, a batch file named noanti-vm.bat, is highly obfuscated using tricks like XOR decoding, environment variable manipulation, and dynamic string slicing to evade detection by antivirus tools.

This attack is a clear example of a growing trend in social engineering, malware that relies on user action rather than exploiting browser or software vulnerabilities. It weaponizes user trust and urgency, knowing that many users will follow instructions without fully understanding the risk. Instead of breaking into a system through technical loopholes, the attacker simply asks the user to unlock the door.

This incident is a powerful reminder that social engineering remains one of the most effective tools in a threat actor’s arsenal. It shows how attackers are becoming more creative by blending believable design, technical camouflage, and psychological pressure to deceive even careful users. Understanding the structure and goals of this kind of attack is critical for preventing it, both at the individual and organizational level.