By NHI Mgmt Group Editorial TeamPublished 2026-05-20Domain: Governance & RiskSource: Gurucul

TL;DR: A ClickFix campaign impersonating Google Meet tricks users into running obfuscated PowerShell and delivers SalatStealer to harvest browser credentials, session cookies, autofill data, and cryptocurrency wallet artifacts, according to Gurucul. The lesson is that user-assisted execution plus legitimate Windows tooling can bypass traditional controls and turn endpoint compromise into identity theft at scale.


At a glance

What this is: This is a threat research post on a ClickFix social engineering campaign that uses fake Google Meet verification pages to deliver SalatStealer and steal browser credentials, cookies, and wallet data.

Why it matters: It matters because IAM and security teams cannot treat browser session theft and credential harvesting as only endpoint problems when stolen secrets can be reused across NHI, autonomous, and human access paths.

By the numbers:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read Gurucul's analysis of the ClickFix campaign that delivered SalatStealer


Context

ClickFix campaigns abuse trust in familiar interfaces and legitimate Windows utilities to get users to execute malicious commands themselves. In this case, the attacker did not need a software exploit to begin the intrusion. The real governance failure is that user-assisted execution can still become identity compromise when browser credentials, cookies, and wallet artifacts are available on the endpoint.

For IAM and NHI teams, the important point is not the malware family name but the identity material it targets after execution. Browser-stored secrets, session cookies, and autofill records often become the bridge from a single compromised workstation to broader account abuse, especially where secrets are reused or where session governance is weak.


Key questions

Q: How should security teams respond to ClickFix-style social engineering campaigns?

A: Treat them as identity compromise pathways, not just phishing. The immediate goal is to interrupt user-assisted execution, detect suspicious PowerShell or Run-dialog activity, and reduce the value of any browser or session data already exposed on the endpoint. If the attacker can run code locally, browser-stored secrets may already be at risk.

Q: Why do browser cookies and autofill records matter to IAM teams?

A: Because they can function as session and authentication shortcuts. If malware steals cookies, encrypted browser stores, or autofill data, the attacker may bypass password prompts and reuse active access without ever knowing the original password. That turns endpoint compromise into account compromise.

Q: What breaks when PowerShell and BITSAdmin are allowed to run unchecked on user endpoints?

A: The defender loses the distinction between normal administration and attacker staging. Native tools can fetch payloads, conceal process lineage, and help the attacker blend into approved activity, which makes detection dependent on behavioural correlation rather than simple binary allow or deny logic.

Q: How can organisations limit the damage from stolen browser secrets?

A: Reduce persistence, reduce reuse, and reduce privilege. Shorter session lifetimes, stronger endpoint hardening, and tighter control over where credentials are cached make harvested browser secrets less useful after theft. The key is to stop a local compromise from becoming a broad identity event.


Technical breakdown

ClickFix social engineering and user execution

ClickFix is a social engineering pattern that persuades the victim to run a command themselves, usually through Windows Run or copy-paste instructions. That matters because the action appears user-initiated, so many controls that look for exploit delivery never trigger. In this campaign, the fake Google Meet portal guided the victim into launching an obfuscated PowerShell command that reconstructed Invoke-WebRequest and Invoke-Expression at runtime. The result is a trusted process starting the attack chain instead of a suspicious payload arriving from the network.

Practical implication: monitor for suspicious Run-dialog activity, browser to PowerShell handoffs, and hidden script execution from user desktops.

PowerShell, BITSAdmin, and living-off-the-land staging

The loader phase relies on legitimate Windows components to reduce visibility. PowerShell executes in memory, then BITSAdmin retrieves the next stage and stores it in a writable location before the payload is launched as a detached process. This is a classic living-off-the-land sequence because the attacker does not need custom downloader infrastructure on the endpoint itself. Packed binaries and string obfuscation then make static inspection harder, while the download-and-execute pattern shortens detection windows.

Practical implication: alert on PowerShell network retrieval, BITSAdmin usage, and executable creation in temporary directories.

Browser credential theft and wallet data collection

SalatStealer targets credential stores that are already normalized in modern browsing environments. Chromium-based browsers protect secrets with DPAPI and AES-GCM, but once malware can read the local profile and Local State files, it can recover the key material needed to decrypt login data, cookies, and autofill entries. The same logic extends to Gecko-based browsers, browser-extension storage, and LevelDB databases used by wallet tools. That makes the endpoint a repository of identity and session material, not just a workstation.

Practical implication: reduce browser secret persistence on high-risk endpoints and treat local profile access as credential exposure.


Threat narrative

Attacker objective: The attacker wants reusable browser identity material and wallet data that can be monetized through account takeover, session hijacking, and asset theft.

  1. Entry begins with a fake Google Meet verification page that tricks the victim into running an obfuscated PowerShell command through the Windows Run dialog.
  2. Credential access follows when the PowerShell loader and BITSAdmin stage SalatStealer, which then reads browser profile files, decrypts stored secrets, and collects session cookies and wallet artifacts.
  3. Impact occurs as the malware exfiltrates harvested credentials and cryptocurrency data to attacker-controlled infrastructure for reuse in account takeover and theft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

ClickFix works because trust in local execution paths is still a security assumption. The attack does not need privilege escalation or kernel exploitation when the victim can be coached into launching the first malicious process themselves. That means many endpoint and email controls are still tuned to the wrong failure mode. Practitioners should treat user-assisted execution as an identity event, not only as malware delivery.

Browser session data is identity material, not convenience data. Cookies, autofill records, and decrypted login stores are often enough to bypass authentication steps that teams assume still protect the account. Once a browser profile is harvested, the attacker may not need passwords at all. That is why browser security and IAM cannot be managed as separate disciplines anymore. The practical conclusion is that session theft must be governed as account compromise.

Legitimate Windows tooling now forms part of the attack surface. PowerShell and BITSAdmin are not suspicious because they exist, but because they can move payloads through approved pathways that ordinary users and defenders trust. This collapses the assumption that signed, native tools are inherently lower risk than unknown binaries. Security teams need to build policy around behaviour and lineage, not around tool legitimacy alone.

Identity blast radius grows when secrets persist inside the endpoint. This campaign shows how one infected desktop can expose browser credentials, service access, and digital wallet data in a single chain. The shared problem is not just theft, but the reuse potential of the stolen material across accounts and services. The practitioner takeaway is simple: limit where identity secrets live, because endpoint locality becomes breach locality.

Runtime trust debt accumulates when organizations over-rely on post-compromise detection. The attacker only needs one successful execution path, while defenders must catch the process chain, the staged download, the browser scraping, and the exfiltration. That asymmetry is what makes browser secret exposure so costly. Teams should assume the collection phase may complete before traditional investigation begins.

From our research:

  • From our research: When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • That same visibility gap is why browser-stolen credentials deserve identity-led response planning, and why 52 NHI Breaches Analysis remains relevant when session theft starts driving downstream account abuse.

What this signals

Browser secret theft now sits at the boundary between human identity and machine identity governance. Teams that only harden browsers for end-user safety will miss the downstream impact on service sessions, automation access, and credential reuse. The practical shift is to treat browser-exposed secrets as part of the wider identity attack surface, not as an endpoint-only problem.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, any reused browser secret can become a fast escalation path rather than a contained compromise. That is why secret persistence, session scope, and privilege boundaries need to be evaluated together.

Identity blast radius: a small local theft can create outsized exposure when the same browser profile holds sessions for admin consoles, SaaS applications, and downstream tooling. Practitioners should map which accounts can be reached from a stolen workstation before they discover the answer during incident response.


For practitioners

  • Block user-assisted script execution paths Restrict PowerShell, script interpreters, and Windows Run usage on endpoints that handle privileged access or sensitive browser sessions. Add detections for obfuscated command reconstruction, hidden execution flags, and process chains starting from explorer.exe.
  • Treat browser profiles as credential stores Inventory which users and endpoints retain decrypted browser sessions, autofill data, and wallet extensions. Apply tighter hardening to admin workstations and high-risk roles so browser profiles do not become a reusable credential cache.
  • Monitor living-off-the-land downloader abuse Alert on BITSAdmin, PowerShell download-and-execute patterns, and temporary-directory binaries that appear immediately after script activity. Correlate those events with browser database access to separate harmless admin activity from active credential theft.
  • Reduce session reuse across identity planes Shorten the lifespan of browser sessions and reduce reliance on persistent cookies where privileged access is involved. The aim is to make stolen local secrets less reusable across human, NHI, and adjacent service access paths.

Key takeaways

  • ClickFix abuse turns user cooperation into initial access, which bypasses many controls built only for exploit-driven attacks.
  • Browser credentials, cookies, and wallet data make a single infected endpoint capable of producing account takeover and asset theft.
  • The most effective control shift is to treat local browser secrets and native-tool execution as identity risks that need behavioural detection and tighter persistence limits.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01The campaign steals stored credentials and session material from browsers.
NIST CSF 2.0PR.AC-4The attack abuses access material that extends beyond initial login.
NIST Zero Trust (SP 800-207)AC-6Zero Trust depends on minimizing standing trust in endpoint-held secrets.

Reduce secret persistence on endpoints and treat browser-stored credentials as high-risk NHI material.


Key terms

  • ClickFix: A social engineering technique that convinces the victim to run a command or script themselves, often by framing it as a verification or troubleshooting step. It matters because the user becomes the delivery mechanism, allowing malware to start without a traditional exploit chain or obvious file-based warning.
  • Living-off-the-land binary: A legitimate operating system utility that attackers abuse to blend malicious activity into normal administration. BITSAdmin and PowerShell are common examples because they can download content, launch scripts, and move data while appearing native to the endpoint.
  • Browser session cookie: A small token stored by a browser that helps a service remember an authenticated session. When stolen, it can let an attacker reuse an active login state without the original password, which is why cookie theft is often a direct account takeover risk.
  • Identity blast radius: The amount of additional access an attacker can reach after stealing a single identity artifact such as a browser session, token, or cached secret. It reflects how far one compromise can spread across accounts, services, and automation paths before detection or revocation occurs.

What's in the full article

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • Full infection-chain walkthrough from the fake Google Meet page to SalatStealer execution and exfiltration.
  • MITRE ATT&CK mapping and indicator-of-compromise details for PowerShell abuse, BITSAdmin, and staged payload delivery.
  • Binary-level observations on browser decryption, wallet targeting, and the specific data stores SalatStealer reads.
  • Network telemetry and IOC material that implementation teams can use to tune detections and triage alerts.

👉 Gurucul's full blog covers the infection chain, MITRE mapping, and IOC details behind the fake Google Meet lure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org