New ClickFix Campaign – Abusing Windows App-V Scripts

January 27, 2026 Faeem BLOGS 0

Researchers have uncovered a new ClickFix attack chain that combines fake CAPTCHA lures with Microsoft Application Virtualization (App-V) scripts to deliver the Amatera infostealer. This marks the first time App-V scripts have been observed in ClickFix-style attacks.

Attack Flow

  1. Initial lure:
    • Victims encounter a fake CAPTCHA page.
    • They are instructed to paste a command into the Windows Run dialog.
  2. Execution via App-V:
    • The command abuses SyncAppvPublishingServer.vbs, a legitimate App-V script.
    • Script runs under wscript.exe, launching PowerShell through a trusted Microsoft component.
  3. Anti-analysis checks:
    • Verifies manual execution order and clipboard contents.
    • If sandbox detected → stalls execution with infinite waits.
  4. Configuration retrieval:
    • Pulls base64-encoded config data from a public Google Calendar event.
  5. Payload staging:
    • Hidden 32-bit PowerShell process spawned via WMI.
    • Embedded payloads decrypted and loaded into memory.
  6. Steganography stage:
    • Encrypted PowerShell payload hidden inside PNG images hosted on public CDNs.
    • Extracted via LSB steganography, decrypted, GZip-decompressed, executed in memory.
  7. Final payload:
    • Native shellcode executed → Amatera infostealer deployed.
    • Connects to hardcoded IP, retrieves endpoint mappings, awaits further payloads via HTTP POST.

Malware Details – Amatera

  • Type: Infostealer (based on ACR infostealer).
  • Capabilities: Collects browser data and credentials.
  • Distribution model: Malware-as-a-Service (MaaS).
  • Evolution: Proofpoint reports ongoing sophistication with each update.

Why It’s Dangerous

  • Living-off-the-land binary (LOLBin): Uses trusted Microsoft App-V scripts to proxy PowerShell execution.
  • Steganography: Payloads hidden in images on public CDNs → harder to detect.
  • Resilient infrastructure: Uses Google Calendar + WinINet APIs for stealthy config and payload delivery.

Defensive Recommendations

  • Restrict Windows Run dialog: Apply Group Policy to block user access.
  • Remove App-V components: If not required in enterprise environments.
  • Enable PowerShell logging: Detect suspicious hidden processes and script execution.
  • Network monitoring: Watch for mismatches between HTTP Host headers/TLS SNI and destination IPs.
  • Threat hunting: Look for suspicious use of SyncAppvPublishingServer.vbs and hidden PowerShell activity.

Takeaway

This campaign demonstrates how attackers are weaponizing trusted enterprise features (App-V) and ClickFix social engineering to bypass defenses. By embedding payloads in CAPTCHAs, Google Calendar events, and PNG images, adversaries are raising the bar for detection. Organizations should harden Windows environments, monitor PowerShell activity, and restrict unnecessary components to reduce exposure.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.