A new malicious campaign has been observed that combines the ClickFix social-engineering technique with fake CAPTCHA pages and a signed Microsoft Application Virtualization (App-V) script to distribute the Amatera infostealing malware.
The campaign abuses a legitimate Microsoft script (SyncAppvPublishingServer.vbs), which is executed via the trusted wscript.exe binary.
According to researchers at BlackPoint Cyber, the attack begins with a fake CAPTCHA verification that instructs victims to manually paste and run a command using the Windows Run dialog. The command includes checks to confirm human execution, validate the execution sequence, and ensure clipboard integrity, preventing the malware loader from running in sandboxed or automated analysis environments. If analysis is detected, execution stalls indefinitely to waste defender resources.
The malware then retrieves base64-encoded configuration data from a public Google Calendar event. The following stages spawn a hidden 32-bit PowerShell process via Windows Management Instrumentation (WMI), decrypting and loading multiple payloads directly into memory. Later, encrypted PowerShell payloads are concealed within PNG images hosted on public CDNs using LSB steganography, then extracted, decrypted, decompressed, and executed in memory.
The final stage deploys native shellcode that launches the Amatera infostealer, which BlackPoint Cyber describes as a standard credential- and browser-data-stealing malware. Code similarities indicate Amatera is based on the ACR infostealer and is actively developed and sold as malware-as-a-service (MaaS).