{"id":209338,"date":"2026-01-27T09:38:00","date_gmt":"2026-01-27T14:38:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/01\/27\/clickfix-attacks-expand-using-fake-captchas-microsoft-scripts-and-trusted-web-services\/"},"modified":"2026-02-02T19:00:11","modified_gmt":"2026-02-03T00:00:11","slug":"clickfix-attacks-expand-using-fake-captchas-microsoft-scripts-and-trusted-web-services","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/01\/27\/clickfix-attacks-expand-using-fake-captchas-microsoft-scripts-and-trusted-web-services\/","title":{"rendered":"ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/01\/clickfix-attacks-expand-using-fake.html\">ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/01\/clickfix-attacks-expand-using-fake.html\">https:\/\/thehackernews.com\/2026\/01\/clickfix-attacks-expand-using-fake.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-27 09:38:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Cybersecurity researchers have disclosed details of a new campaign that combines ClickFix-style fake CAPTCHAs with a signed Microsoft Application Virtualization (App-V) script to distribute an information stealer called Amatera.<\/p>\n<p>&#8220;Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths,&#8221; Blackpoint researchers Jack Patrick and Sam Decker said in a report published last week.<\/p>\n<p>In doing so, the idea is to transform the App-V script into a living-off-the-land (LotL) binary that proxies the execution of PowerShell through a trusted Microsoft component to conceal the malicious activity.<\/p>\n<p>The starting point of the attack is a fake CAPTCHA verification prompt that seeks to trick users into pasting and executing a malicious command on the Windows Run dialog. But here is where the attack diverges from traditional ClickFix attacks.<\/p>\n<p>The supplied command, rather than invoking PowerShell directly, abuses &#8220;SyncAppvPublishingServer.vbs,&#8221; a signed Visual Basic Script associated with App-V to retrieve and execute an in-memory loader from an external server using &#8220;wscript.exe.&#8221;<\/p>\n<p>It&#8217;s worth noting that the misuse of &#8220;SyncAppvPublishingServer.vbs&#8221; is not new. In 2022, two different threat actors from China and North Korea, tracked as DarkHotel and BlueNoroff, were observed leveraging the LOLBin exploit to stealthily execute a PowerShell script. But this is the first time it has been observed in ClickFix attacks.<\/p>\n<p>&#8220;Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by &#8216;living off the land,'&#8221; MITRE notes in its ATT&#038;CK framework. &#8220;Proxying execution may function as a trusted\/signed alternative to directly invoking &#8216;powershell.exe.'&#8221;<\/p>\n<p>The use of an App-V script is also significant as the virtualization solution is built only into Enterprise and Education editions of Windows 10 and Windows 11, along with&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/01\/clickfix-attacks-expand-using-fake.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services https:\/\/thehackernews.com\/2026\/01\/clickfix-attacks-expand-using-fake.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":209339,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgW6W_rux-XGbdn40S_idHK9NuIPQ9Apvc-2JZAvLaHngDYeb5gvSFLF0A4Fds4fpAZqOdeavVBdL0mpSYS3uuIZ7x_w4cdViWRc8e8SoHUkCcfrTxWCm-i8-g63Xn7wgF3IEs21EWyAYn3m719zUh66sCrVOjCaKNJrkoI6q_LwayxogECmwHCKjQS-HO6\/s1700-e365\/clickfix.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31],"class_list":["post-209338","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209338"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209338"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209338\/revisions"}],"predecessor-version":[{"id":209340,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209338\/revisions\/209340"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209339"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209338"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}