ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

Staff Editor 2026-01-27
ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html

Publish Date: 2026-01-27 09:38:00

Source Domain: thehackernews.com

Cybersecurity researchers have disclosed details of a new campaign that combines ClickFix-style fake CAPTCHAs with a signed Microsoft Application Virtualization (App-V) script to distribute an information stealer called Amatera.

“Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths,” Blackpoint researchers Jack Patrick and Sam Decker said in a report published last week.

In doing so, the idea is to transform the App-V script into a living-off-the-land (LotL) binary that proxies the execution of PowerShell through a trusted Microsoft component to conceal the malicious activity.

The starting point of the attack is a fake CAPTCHA verification prompt that seeks to trick users into pasting and executing a malicious command on the Windows Run dialog. But here is where the attack diverges from traditional ClickFix attacks.

The supplied command, rather than invoking PowerShell directly, abuses “SyncAppvPublishingServer.vbs,” a signed Visual Basic Script associated with App-V to retrieve and execute an in-memory loader from an external server using “wscript.exe.”

It’s worth noting that the misuse of “SyncAppvPublishingServer.vbs” is not new. In 2022, two different threat actors from China and North Korea, tracked as DarkHotel and BlueNoroff, were observed leveraging the LOLBin exploit to stealthily execute a PowerShell script. But this is the first time it has been observed in ClickFix attacks.

“Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by ‘living off the land,'” MITRE notes in its ATT&CK framework. “Proxying execution may function as a trusted/signed alternative to directly invoking ‘powershell.exe.'”

The use of an App-V script is also significant as the virtualization solution is built only into Enterprise and Education editions of Windows 10 and Windows 11, along with…

Source

More Stories

Mountain Rides resolves cybersecurity threat | Transportation

Mountain Rides resolves cybersecurity threat | Transportation

Staff Editor 2026-06-05
NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05
Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy