Cybercriminals are now combining fake CAPTCHA prompts with signed Microsoft App-V scripts to bypass security and install the Amatera infostealer. This method uses a trusted Windows component to proxy malicious PowerShell commands, marking the first time this specific living-off-the-land technique has been seen in ClickFix campaigns.
The infection process starts when a user encounters a fraudulent human verification check that tricks them into copying and pasting a command directly into the Windows Run dialog. This command targets a legitimate script called SyncAppvPublishingServer.vbs, which is a standard part of the Microsoft Application Virtualization feature used by enterprises to manage virtual software. Because this script is digitally signed by Microsoft and executed via the trusted wscript.exe utility, it often evades detection by traditional antivirus software that views the activity as a routine system process.
Once the script is initiated, it launches a PowerShell instance designed to perform several environment checks before proceeding with the payload. The malware verifies that the command was entered manually and that the clipboard content has not been altered, which helps it distinguish between a real human victim and an automated security sandbox. If the script detects that it is being analyzed in a research environment, it is programmed to enter an infinite wait state, effectively stalling the execution to exhaust the resources of automated detection tools.
If the environment is deemed safe for the malware, the script reaches out to a public Google Calendar to retrieve its next set of instructions. The attackers hide configuration data within a specific calendar event using base64 encoding, allowing the malware to pull down necessary parameters from a legitimate, high-reputation domain. This technique further masks the malicious traffic, as connections to Google services are rarely flagged as suspicious by network monitoring tools.
In the final phase of the attack, the script uses the Windows Management Instrumentation framework to spawn a hidden 32-bit PowerShell process. This process is responsible for decrypting multiple embedded payloads and loading them directly into the computer's memory. By executing the Amatera infostealer in memory rather than saving files to the hard drive, the attackers minimize their physical footprint and make it significantly harder for forensic investigators to recover the malicious code.
The emergence of this campaign highlights a sophisticated shift in how social engineering is paired with built-in Windows features to facilitate data theft. While Microsoft App-V has been used for evasion in the past, its integration into the ClickFix ecosystem shows that threat actors are continuously refining their delivery methods. Organizations are encouraged to monitor for unusual executions of system scripts and educate users on the dangers of pasting unverified commands into the Windows Run box.
Source: New ClickFix Attacks Abuse Windows App V Scripts To Deliver Malware
Excellent writeup on this ClickFix variant. The abuse of digitally signed App-V scripts to proxy PowerShell is clever since most EDR tools whitelist Microsoft-signed binaries by default. The Google Calendar C2 mechanism is especially interesting becasue it blends into normal enterprise traffic patterns. I've noticed similar LOTL tactics in recent campaigns where attackers leverage WMI or scheduled tasks insteadof dropping new executables, and this App-V approach fits that same evasion playbook.