THE article, dated 29 January 2026, describes a new Fake CAPTCHA campaign that exploits a complex delivery chain involving trusted Microsoft tools and Google services to smuggle malware. According to The Blackpoint SOC, the campaign uses a Fake CAPTCHA social engineering prompt and proxies execution through a legitimate Windows component, SyncAppvPublishingServer[.]vbs, to mask itself as legitimate activity.
Once active, the malware checks for real user interaction and, upon confirmation, reaches out to Google Calendar to pull live configuration from a public calendar file, enabling flexible delivery logic. The final stage uses steganography to hide an encrypted payload inside publicly hosted PNG images, which is then decrypted and executed in memory, culminating in Amatera Stealer that harvests browser data and credentials.
The overall approach combines trusted infrastructures with stealth techniques to avoid detection, aiming to be reliable while remaining invisible when not in use.