Fake CAPTCHA Attack Leverages Microsoft Application Virtualization (App-V) to Deploy Malware

A newly discovered campaign demonstrates a sophisticated approach to delivering information-stealing malware through a combination of social engineering and legitimate Windows components.

The attack begins with a deceptive CAPTCHA prompt that tricks users into executing commands manually through the Windows Run dialog, presenting the infection as a required verification step.

Instead of using traditional PowerShell execution methods that security tools commonly monitor, the attackers exploit Microsoft’s Application Virtualization framework to bypass detection.

The attack chain represents a significant shift in how threat actors approach malware delivery.

Rather than relying on vulnerability exploitation or direct payload execution, the campaign prioritizes careful orchestration of each stage to survive automated analysis and security monitoring.

The infection progression depends on specific conditions being met at precise moments, ensuring that the malware only executes when the exact sequence unfolds as intended.

This deliberate design makes the attack harder to analyze in sandboxed environments and reduces the likelihood of triggering defensive alerts.

Blackpoint analysts noted that the campaign exhibits careful planning across multiple execution stages, each reinforcing the security measures of the previous stage.

The attackers chain together signed Microsoft components,…