Researchers specializing in cybersecurity have identified a new stealthy malware campaign that uses fake CAPTCHA pages to deliver Amatera Stealer (an information theft malware) that targets enterprise Windows computers via a signed Microsoft App-V script.
This is different from traditional ClickFix attacks because they execute Powershell directly, but rather they do so indirectly through a fake CAPTCHA challenge asking customers to paste a command into Windows Run command. However, rather than executing the command with the built-in powershell.exe program, the command calls SyncAppvPublishingServer.vbs, which is a legitimate and digitally signed Microsoft App-V script, and (by virtue of using a well-known and trusted component) allows them to “live off the land”, circumventing typical detection rules for Powershell and blending malicious activities in with general user/system activity. When executed, the script runs wscript.exe which, in turn, pulls an in-memory loader down from an external server.
The loader performs anti-sandbox checks before pulling configuration data from a public Google Calendar (ICS) file, turning a trusted third-party service into a dead-drop resolver.
The subsequent PowerShell processes will be downloaded and run in memory, with the first step being to download a PNG image from the attacker's domain that contains a compressed and encrypted PowerShell payload. After decryption and decompression, the final shellcode loader executes Amatera Stealer.
This approach is especially notable because App-V exists only on Enterprise and Education editions of Windows, meaning the campaign is clearly aimed at managed corporate environments. Systems without App-V simply fail to execute the payload.
Researchers note that abusing SyncAppvPublishingServer.vbs is not new, it has previously been used by groups like DarkHotel and BlueNoroff, but this is the first time it has been observed as part of ClickFix-style attacks.
Because the attack chain uses valid user actions and trusted system binaries (operating systems, software etc.) that are very difficult for EDR solutions to discriminate between bad (or malicious) activity and normal operational activity, it will be difficult for security to detect and stop attacks like this.
As ClickFix evolves further, developing multiple variants (e.g., JackFix, CrashFix, and GlitchFix), the latest campaign showcases an increased trend toward Living Off the Web, where attackers abuse established trust through the use of well-known verification workflows, signed binaries, and popular cloud services rather than using an overtly malicious infrastructure.
Source: The Hacker News