Amatera Infostealer Delivered via Fake CAPTCHA and Windows App-V Script Abuse
Researchers reported an active campaign distributing Amatera Stealer by using fake “human verification”/CAPTCHA pages (often described as ClickFix) to trick users into manually pasting and running a command via the Windows Run dialog. Instead of launching PowerShell directly, the command abuses the signed Microsoft App-V script SyncAppvPublishingServer.vbs to proxy PowerShell execution through trusted Windows components (e.g., wscript.exe), helping the activity blend in with legitimate tooling and evade some defenses.
On suitable targets—systems where Application Virtualization (App-V) is present and enabled (notably Windows 10/11 Enterprise/Education and modern Windows Server)—the infection chain performs anti-analysis checks to hinder sandbox detonation, then pulls staging/configuration data from a public Google Calendar (.ics) resource. Additional stages are retrieved using steganography, including encrypted payloads embedded in PNG images hosted on public infrastructure/CDNs, which are then decrypted and executed in memory to deliver Amatera (described as based on ACR Stealer and offered as malware-as-a-service). Recommended mitigations highlighted include tightening controls around Run-dialog execution, disabling unnecessary App-V components, increasing PowerShell/script logging visibility, and monitoring for anomalous outbound retrievals to calendar/image-hosting services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers reveal multi-stage payload delivery via Google Calendar and PNG steganography
Technical analysis showed the campaign retrieves configuration data from a public Google Calendar .ics file and then downloads PNG images containing an encrypted and compressed payload. The final stages execute in memory and deliver the Amatera Stealer infostealer while using anti-analysis gates to frustrate sandbox detonation.
Blackpoint researchers identify Amatera delivery campaign using fake CAPTCHA and App-V
Blackpoint researchers reported a malware delivery campaign that tricks users into pasting a command into the Windows Run dialog, then abuses the signed Microsoft App-V script SyncAppvPublishingServer.vbs via wscript.exe to stealthily launch the infection chain. The campaign is designed to evade enterprise defenses and researcher analysis, with execution succeeding mainly on systems where App-V is present and enabled.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
The "Fake CAPTCHA" Trap: Malware Hides in Google Calendar & Images
securityonline.info
Open sourceFake CAPTCHA Attack Leverages Microsoft Application Virtualization (App-V) to Deploy Malware
cybersecuritynews.com
Open sourceAmatera infostealer campaign leverages fake CAPTCHA and App-V scripts | SC Media
scworld.com
Open sourceAttackers use Windows App-V scripts to slip infostealer past enterprise defenses - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Amatera Stealer and NetSupport RAT Delivered via ClickFix Social Engineering Campaigns
Cybersecurity researchers have identified a surge in malware campaigns leveraging the ClickFix social engineering technique to deploy the Amatera Stealer and NetSupport RAT. These campaigns trick users into executing malicious commands through the Windows Run dialog, often under the guise of completing a reCAPTCHA verification on fraudulent phishing pages. The infection chain typically involves the use of `mshta.exe` to launch a PowerShell script, which downloads a .NET payload from a file hosting service. The Amatera Stealer DLL, packed with PureCrypter, is injected into the `MSBuild.exe` process, enabling the malware to harvest sensitive data from crypto-wallets, browsers, messaging apps, FTP clients, and email services. Advanced evasion techniques, such as WoW64 SysCalls and in-memory AMSI patching, are employed to bypass endpoint detection and response (EDR) and antivirus solutions. The Amatera Stealer, considered an evolution of the ACR Stealer, is available as a malware-as-a-service (MaaS) offering, with subscription plans ranging from $199 to $1,499. The campaigns also deploy NetSupport RAT for remote access and further exploitation. Notably, the PowerShell scripts used by Amatera check for the presence of valuable files or domain membership before proceeding, indicating a targeted approach. These findings highlight the increasing sophistication of social engineering and malware delivery tactics, as well as the growing threat posed by MaaS platforms to organizations and individuals alike.
Mar 21, 2026
ACRStealer Campaign Uses Trojanized Installers, Stolen ASUS Certificate, and Shared C2 Infrastructure
Breakglass Intelligence reported that **ACRStealer** is running an active credential-theft operation through multiple delivery chains, including a compromised `.edu` WordPress site and a trojanized **Chris-PC RAM Booster** installer. The malware uses a four-stage infection flow that progresses from PowerShell or installer-based execution to Go and .NET loaders, then decrypts and injects shellcode in memory. Researchers said newer samples introduced a previously undocumented .NET loader, **CoreHubManager**, a new 16-byte XOR key, **AES-256-CBC** shellcode decryption, and **Heaven’s Gate** WoW64 transitions to run x64 code from a 32-bit process. Payloads were also signed with a stolen **ASUSTeK EV code-signing certificate**, allowing binaries such as `sunwukongs.exe` to better evade SmartScreen and other trust controls. Once installed, ACRStealer steals credentials, browser data, DPAPI-protected secrets, Windows Hello NGC keys, smart card certificates, Azure AD OAuth tokens, wallets, documents, and tokens from more than 200 applications, then exfiltrates the data over HTTPS. The malware also uses custom AFD socket operations and dead-drop resolvers hosted on **Steam**, **Google Docs/Slides**, and **Telegram** pages to retrieve command-and-control infrastructure. Breakglass mapped **17 C2 IPs** in the newer cluster and **9 live C2 servers** in the earlier campaign, with the larger set hosted by **VDSINA**, pointing to a concentrated infrastructure footprint. Researchers also found overlap with **SectopRAT**, **AmateraStealer**, **NetSupport RAT**, **OffLoader**, **HIjackLoader/IDATLoader**, and **ClickFix/FakeCAPTCHA** chains, and said ACRStealer has been rebranded as **AmateraStealer** and marketed as a malware-as-a-service offering.
May 25, 2026
Fake CAPTCHA and ClickFix Social Engineering Used to Deliver Stealer Malware
A wave of **social-engineering-driven malware delivery** is abusing “verification” and “fix” workflows to trick users into running attacker-supplied commands that install information stealers. LevelBlue reported a campaign using **fake Cloudflare-style CAPTCHA pages** on compromised websites to convince Windows users to manually execute malicious **PowerShell** commands, resulting in **StealC** deployment; StealC is described as exfiltrating browser credentials, crypto wallet data, Steam and Outlook credentials, system information, and screenshots over **RC4-encrypted HTTP** to a C2 server. Intego also identified an evolved **ClickFix** technique on macOS (“**Matryoshka**”) that leverages **typosquatting** to redirect users to pages instructing them to paste “fix” commands into Terminal; the loader then retrieves an AppleScript payload to steal browser credentials and target wallet apps (e.g., *Trezor Suite*, *Ledger Live*), including repeated fake password prompts as a fallback. Separately, other credential-theft campaigns are also leaning heavily on lures that exploit user trust and routine workflows. Morphisec described **Noodlophile** evolving from fake AI video platform ads to **fake job postings** and phishing “assessments,” delivering multi-stage stealers/RATs via techniques including **DLL sideloading**, while continuing to use **Telegram bots** for exfiltration/C2 and adding file-bloating content intended to disrupt automated analysis. These developments reinforce that user-in-the-loop execution (copy/paste commands, “verification” steps, and recruitment-themed forms) remains a high-yield initial access vector for stealers across both Windows and macOS environments.
Mar 21, 2026