Reinvented ClickFix: False CAPTCHA, signed App-V and execution in memory of the Amatera stealer

Cybersecurity researchers have brought to light a chain of attack that combines an old acquaintance of web deception - ClickFix-type false CAPTCHAs - with a less expected maneuver: the abuse of a Microsoft-signed script belonging to App-V to hide malicious execution. The result is a militarily thought-out sequence that ends up downloading a Information stealer called Amatera, and which poses serious challenges to traditional defenses.

The key piece that is a lever in this campaign is not a suspicious executable, but a legitimate component of the system. Instead of directly invoking PowerShell, attackers induce the victim to execute a command that launches SyncAppvPublishingServer.vbs a signed script associated with the virtualization of Microsoft applications (App-V). By relying on a tool of trust, the threat is camouflaged under the umbrella of the legitimate and complicates detection by solutions that prioritize the reputation of processes. To understand what App-V is and why it matters, Microsoft keeps the official documentation in which it explains this technology: App-V in Microsoft documentation.

The initial vector is the already known false CAPTCHA trick: the user lands on a page that appears to request a verification and receives instructions, usually in a video or dialog, to copy and paste a command in the Run Windows box. The new thing about this campaign is that the command does not call PowerShell directly, but takes advantage of it. SyncAppvPublishingServer.vbs to release a charger in memory through wscript.exe, which serves as a signed proxy that "returns reliable" the subsequent execution. This technique of using legitimate system binaries to run malicious code is what the community calls living-off-the-land; MITRE's ATT & CK framework documents this type of abuse, including the variant that SyncAppvPublishingServer.vbs uses: MITRE ATT & CK - abuse of SyncAppvPublishingServer.vbs.

That the vector is based on App-V is not a minor detail: this technology is present only in the Enterprise and Education editions of Windows 10 / 11 and in modern versions of Windows Server. In home or pro systems where App-V does not exist or is not activated, the chain is broken, suggesting that attackers have focused their efforts towards corporate and managed environments.

Once the loader has been executed, the authors perform checks to avoid sandboxes and automatic analysis environments, and then download their configuration from an unexpected resource: a public calendar file hosted in Google Calendar. By outsourcing control parameters in a legitimate and public service, the attacker can rotate infrastructure and change coordinates without rewriting the previous stages of the attack. This use of calendars as configuration repositories is an example of what industry calls a dead-drop solve a method which is also included in the techniques listed by MITRE: Dead Drop Resolver (T1102.001).

The calendar then points to additional loads: an intermediate PowerShell script that, executed in memory, recovers a PNG image from CDN services such as jsDelivr or domains that act as a facade. Within that image is hidden, encrypted and compressed, the next payload in PowerShell. In memory, decompression and deciphering are performed, and finally the code that loads a shellcode designed to deploy Amatera is invoked. This mode of operation, where everything happens in memory and without leaving suspicious binary on disk, greatly complicates the ability to analyse and capture evidence by traditional detection.

Far from being an isolated trick, this chain fits into a wider evolution of ClickFix campaigns. In recent months, variants have proliferated with names such as JackFix or CrashFix, and panels and services have emerged that market the technique as a product: operators sell ClickFix kits in forums for considerable quantities, making it easier for actors with less technical skills to launch successful campaigns. In parallel, distribution platforms have emerged specifically designed for this type of deception, such as ErrTraffic, which introduces a GlitchFix approach to visually corrupt pages and convince the user that "fix" the problem requires running a command.

Security firm researchers have been documenting these developments. Blackpoint described the chain that culminates in Amata and highlighted the precise orchestration between stages; the technical entry is available on his blog: Blackpoint - false CAPTCHA chain that delivers Amatera. Other analyses that have tracked ClickFix campaigns aimed at social media content creators, with false process of verification and session tokens theft, have been published by Hunt.io and by response teams in companies such as Palo Alto (Unit42): Unit42 - threats against creators.

A recurring feature of these campaigns is their preference for reputable services and platforms: CDNs, public calendars and smart blockchains contracts have been used as distribution pipes or code storage. This approach allows attackers to "inherit" the confidence of legitimate services, a trend that Censys has called "Living Off the Web" and that describes how reliable infrastructure becomes malware delivery surface: Censys - Living Off the Web.

Cases like ClearFake exemplify the combined use of ClickFix with other creative techniques: the campaign infected WordPress sites, injected browser update baits and used smart contracts in Binance Smart Chain to hide the following JavaScript fragment to recover - a technique named by analysts like EtherHering. Expel's account of ClearFake offers a diagnosis of the sophistication and scope of these operations: Expel - ClearFake and LotL techniques.

What practical conclusions do we draw from all this? First, the traditional defense based only on blocking suspicious executables on disk is not enough: attackers are taking advantage of signed processes and performing in memory, which forces detection systems to evaluate behavior and context in greater depth. Second, the human factor remains the most exploited link: any dialog that requests to copy / paste commands or move tokens must be activated as a suspect and reviewed outside the normal browser flow.

For organizations, the recommendations are to tighten privilege controls, limit and monitor the use of optional components such as App-V where they are not necessary, and adjust EDR rules to monitor unusual invocation to legitimate scripts. It is also appropriate to educate particularly sensitive users - content creators, marketing teams and site managers - about the risks of accepting "verifications" that ask to execute local commands. Bitdefender and other suppliers have published analyses and guides on how to understand and mitigate ClickFix; a news summary is available on the Bitdefender Business Insights portal: Bitdefender - how ClickFix works.

In short, the campaign that leads to Amatera does not bring a revolutionary technical invention, but a very careful combination of known techniques: deception directed at users, exploitation of signed system tools, dynamic configuration in public services and execution in memory. This orchestration makes the attack go forward only when everything fits, making it difficult for both automated detonation in analysis environments and rapid response in real detection. Staying alert and adjusting defenses to detect patterns of abuse of confidence will be key to reducing the impact of such threats.