Researchers at BlackPoint Cyber have documented a technically sophisticated malware campaign that combines ClickFix social engineering, a fake CAPTCHA page and abuse of Microsoft Application Virtualization (App‑V) to deliver the Amatera infostealer. The operation exemplifies a “living off the land” approach, in which attackers rely on trusted system components and popular cloud services to evade traditional security controls.
ClickFix social engineering evolves with fake CAPTCHA prompts
ClickFix attacks are based on coercing the victim into manually executing a malicious command. Historically, users were redirected to webpages showing a fake error screen, a bogus browser crash or a pseudo‑BSOD, then instructed to copy a provided PowerShell command and run it. Because the user initiates the command, many legacy intrusion prevention systems struggle to classify the activity as malicious.
In the newly observed variant, the social engineering layer is masked as a fraudulent CAPTCHA verification. Instead of checking a box or selecting images, the user is told that “for additional verification” they must copy a string and run it via the Windows Run dialog (Win+R). This framing increases perceived legitimacy and can lower suspicion even among relatively security‑aware users. Although ClickFix is commonly associated with Windows, earlier campaigns have demonstrated that similar techniques can be adapted for macOS and Linux, underscoring the portability of the underlying social engineering model.
Abusing Microsoft App‑V and wscript.exe as trusted LOLBins
The command the victim copies leverages the legitimate script SyncAppvPublishingServer.vbs, a component of Microsoft App‑V used to publish and manage virtualized enterprise applications. The script is executed through the trusted Windows script host wscript.exe, which in turn launches a chain of PowerShell commands. By chaining together these living‑off‑the‑land binaries (LOLBins), the attackers blend malicious behavior into normal administrative operations and complicate detection and event correlation.
Early in the execution chain, the malware performs several environment and behavior checks. It validates that the command was started interactively by a user, inspects the clipboard contents and enforces an expected sequence of actions. If signs of sandboxing, automated analysis or tampering are detected, the script moves into an infinite wait state, effectively neutralizing many dynamic analysis systems. Such anti‑sandbox and anti‑analysis techniques are increasingly common in modern intrusion campaigns.
Google Calendar as a covert configuration channel and hidden PowerShell via WMI
Instead of retrieving configuration data from a conventional command‑and‑control (C2) server, the malware pulls its parameters from a public Google Calendar. One calendar event stores base64‑encoded values containing key configuration items for subsequent stages. Using a mainstream cloud service allows the attackers to hide within legitimate HTTPS traffic, making it harder for network filters to block communication without causing collateral damage.
In later stages, the operators create a hidden 32‑bit PowerShell process via Windows Management Instrumentation (WMI). This process loads several embedded payloads directly into memory, without writing conventional executables to disk. This fileless malware model significantly reduces the effectiveness of signature‑based antivirus engines and shifts the defensive focus towards behavioral analytics and script activity monitoring.
PNG steganography and in‑memory deployment of Amatera infostealer
The infection chain then transitions to steganography. An encrypted PowerShell payload is hidden inside PNG images hosted on public content delivery networks (CDNs). The malware retrieves these images using the standard Windows WinINet API, causing the traffic to resemble normal HTTP image downloads and further complicating detection.
Data extraction from the images relies on Least Significant Bit (LSB) steganography, a method that modifies the least significant bits of pixel data to embed hidden content. Once extracted, the payload is decrypted, decompressed via GZip and executed entirely in memory. In the final stage, PowerShell decrypts and runs custom shellcode that installs the Amatera infostealer on the victim system.
After deployment, Amatera connects to a hard‑coded IP address, retrieves a mapping of available endpoints and waits for additional binary modules delivered via HTTP POST requests. This modular architecture gives operators flexibility to load only the capabilities they need for a particular victim, supporting stealth and post‑exploitation agility.
Amatera as malware‑as‑a‑service and its threat profile
According to multiple security vendors, including Proofpoint, Amatera is a classic infostealer derived from the codebase of the ACR stealer and distributed under a malware‑as‑a‑service (MaaS) model. Its primary focus is theft of browser data, credentials and other sensitive artifacts that can be monetized in underground markets. The MaaS business model lowers the barrier to entry for cybercriminals by offering pre‑built infrastructure, management panels and technical support, accelerating the spread and evolution of tools like Amatera.
Key risks and practical defense strategies for organizations
The risk in this campaign stems from the convergence of several elements: social engineering that relies on user interaction, abuse of legitimate Windows components (App‑V, wscript.exe, WMI, PowerShell), use of cloud services and CDNs for configuration and delivery, plus steganography and fileless execution. Industry studies, such as the Verizon Data Breach Investigations Report, consistently show that the human element and social engineering play a role in the majority of breaches, making tactics like ClickFix particularly relevant for organizations of all sizes.
Recommended mitigations include: tightening PowerShell security policies (for example, using Constrained Language Mode and enabling Script Block Logging); monitoring and restricting use of App‑V scripts and wscript.exe; implementing WMI activity monitoring with alerts on hidden or unusual PowerShell processes; and enhancing network traffic filtering with attention to atypical use of cloud services such as public calendars and unusual CDN access patterns. Equally important is ongoing security awareness training to help users recognize fake CAPTCHA pages, bogus error messages and any instructions that ask them to manually run unfamiliar commands.
The emergence of this advanced ClickFix variant, which combines App‑V abuse, fileless techniques and PNG steganography to deliver Amatera, illustrates how rapidly malware delivery methods are evolving. Organizations benefit from shifting away from purely signature‑based defenses towards behavior‑driven monitoring, strict control of scripting environments and continuous user education. Reducing the likelihood that an employee will copy and execute an attacker‑supplied command directly undermines the core premise of ClickFix and significantly raises the cost of successful compromise for adversaries.
