False CAPTCHA, signed binaries and steganography: the chain of attack that operates in memory to steal data

In recent months, a chain of infection has emerged that combines classical social engineering with increasingly refined techniques to pass unnoticed. The researchers BlackPoint Cyber have documented a campaign that uses a false verification page type CAPTCHA to fool the user and get him to paste and run a command from the Run Windows box. What might seem like a simple trick is just the first piece of a sequence designed to use system legitimate utilities and hide malicious activity.

The trusted vector here is Microsoft Application Virtualization (App-V), a business-designed functionality that allows you to run packaged applications in virtualized environments without installing them in a traditional way. In this campaign the attackers abuse a legitimate script associated with App-V, SyncAppvPublishingServer.vbs, and run it with wscript.exe - a binary signed by Microsoft - to launch PowerShell. In this way they turn an official component into a proxy to run malicious code, a technique known to use system binaries to evade security controls and that in terms of ATT & CK is related to the use of legitimate system tools like T1218 ( Living-off-the-Land Binaries).

Before continuing, the command that the victim must stick to a number of conditions: check that the action was done by a person (not an automated sandbox), check the expected execution order and even check that the clipboard has not been changed. If you detect signs of automatic analysis, the execution is "frozen" by infinite waiting to take advantage of analysis resources. Only when the conditions designed by the attackers are met, the chain continues to download configuration parameters from a public resource of Google Calendar: values are encoded in base64 within a specific event.

The sophistication increases in the following phases. The attackers launch a 32-bit PowerShell process hidden through Windows Management Instrumentation (WMI), decipher embedded loads and load components directly into memory. They later hide an encrypted payload within PNG images hosted in public CDN: they use the less significant bit steganography to insert data into pixels, they recover those images using dynamically resolved Wininet calls, extract the hidden bits, decipher the result and decompress it (GZip) to run it entirely in memory. The victim will rarely see files on disk; everything happens on RAM.

The final stage of the chain disfigures and runs native code in memory that unfolds Amatera, an info-stealer that, according to BlackPoint, steals credentials and browser data and, by overlapping code, derives from the known ACR stealer. Amatera is marketed as malware-as-a-service (MaaS) and has been incorporating avoidance mechanisms into each iteration; previous analysis of Proofpoint show their evolution towards more sophisticated techniques.

Once active, malware contacts a hard control server (hardcoded) to get endpoints maps and remains waiting for additional instructions or binaries delivered by POST HTTP. This behavior makes network detection still very useful: traffic patterns, domains and discrepancies between HTTP or SNI TLS headers against the target IP address are indicators that can reveal malicious communication.

If you wonder why this campaign works despite existing protections, the answer is in the mix of two factors: trick the person to run a legitimate command and then use signed Windows components or public services (Google Calendar, CDNs) to accommodate and recover configuration and payloads. This combination reduces typical malware signals and complicates identification by traditional signatures.

To reduce risk, there are a number of practical measures that need to be considered. At the administrative level, limiting access to the Table Run by group policies can prevent users from hitting and running arbitrary commands; if the App-V functionality is not necessary in a specific environment, its elimination reduces the exploitable surface. At the detection level, activating the advanced PowerShell record (including the Block Logging Script) increases visibility over commands and fragments that are executed in memory, and monitoring outgoing connections by seeking mismatches between the host name in the HTTP header or the SNI TLS and the target IP helps identify suspicious communications. Microsoft maintains useful documentation about App-V and the APIs involved; for those who manage Windows environments, reviewing the official guide provides a reliable technical framework: App-V documentation, Wininet and PowerShell registration options.

Not everything is technical configuration: user education remains key. Distrust pages that simulate browser problems or human verification and that ask to make unusual actions - such as hitting a command in Run - is a simple and very effective defense. Organizations should combine training, platform controls and network telemetry to address attack chains that depend on both human manipulation and the abuse of legitimate components.

The campaign described by BlackPoint is a reminder that adversaries continue to adapt their methods: they mix social engineering with signed artifacts and techniques such as steganography to reduce their footprint. Maintaining up-to-date systems, minimizing the presence of non-essential components and enabling adequate records and monitoring are practical steps that greatly increase the cost of success for those who design these infection chains. For more technical details and mitigations proposed by researchers, check BlackPoint's analysis on your blog and Proofpoint's report on the evolution of Amatera: BlackPoint Cyber and Proofpoint.