By Zeljka Zorz
Publication Date: 2026-01-27 14:52:00
A malware delivery campaign detailed by Blackpoint researchers employs an impressive array of tricks to deliver an infostealer to employees without triggering enterprise defenses or close examination by security researchers.
The attackers aim to get the Amatera Stealer installed on target Windows computers by using fake human verification pages – i.e., CAPTCHA pages – to trick users into manually pasting and executing a command via the Run dialog.
And here is where things get interesting. Usually, the command in question is executed in PowerShell, but in this campaign attackers don’t invoke it directly.
“The supplied command instead abuses SyncAppvPublishingServer.vbs, a signed Microsoft script associated with Application Virtualization (App-V),” the researchers explained.
“Under normal conditions, this script is used to publish and manage virtualized enterprise applications. In this campaign, it serves as a [Living Off the Land Binary], allowing the attacker to proxy PowerShell execution through a trusted Microsoft component.
The infection chain uses wscript.exe, a Windows scripting tool, and then runs an App-V publishing script, but can only work of systems where App-V is present and enabled: machines running modern Windows Server and Windows 10 and 11 Enterprise and Education editions, i.e., higher-value organizational (corporate) systems. If the target is on a personal computer running a Home or Pro installation, the infection process will…
