A new sophisticated ClickFix campaign has been identified using fake CAPTCHA prompts to trick users into executing malicious commands via the Windows Run dialog. This attack pattern stands out by leveraging Microsoft Application Virtualization (App-V) scripts, specifically the legitimate SyncAppvPublishingServer.vbs, to proxy the execution of PowerShell. This "living-off-the-land" technique allows the malware to bypass traditional security detections by operating through trusted Microsoft components.
The infection chain is highly evasive, incorporating environment checks to detect sandboxes and stalling execution if an analysis environment is found. It retrieves configuration data from public Google Calendar events and uses steganography to hide encrypted payloads within PNG images hosted on public CDNs. The final stage involves the deployment of the Amatera infostealer, a rebranded version of ACR Stealer, which is designed to exfiltrate browser data and credentials from the infected system.
Top comments (0)