By Bill Toulas
Publication Date: 2026-01-26 21:42:00
A new malicious campaign mixes the ClickFix method with fake CAPTCHA and a signed Microsoft Application Virtualization (App-V) script to ultimately deliver the Amatera infostealing malware.
The Microsoft App-V script acts as a living-off-the-land binary that proxies the execution of PowerShell through a trusted Microsoft component to disguise the malicious activity.
Microsoft Application Virtualization is an enterprise Windows feature that allows applications to be packaged and run in isolated virtual environments without being actually installed on the system.
While App-V scripts have been leveraged in the past to evade security solutions, this is the first time this type of file has been observed in ClickFix attacks that deliver an information stealer.
According to BlackPoint Cyber, a company providing threat hunting, detection, and response services, the attack begins with a fake CAPTCHA human verification check that instructs the victim to manually paste and execute a command via the Windows Run dialog.
.jpg)
Source: BlackPoint
The pasted command abuses the legitimate SyncAppvPublishingServer.vbs App-V script that is typically used to publish and manage virtualized enterprise applications.
The script is executed using the trusted wscript.exe binary and launches PowerShell.
During the initial stage, the command verifies that the user executed it manually, that the execution order went as expected, and that the clipboard…
