A novel malware delivery campaign has surfaced, employing a sophisticated blend of social engineering and legitimate Microsoft components, including Application Virtualization (App-V), to deploy information-stealing malware. The attack commences with a deceptive CAPTCHA prompt, tricking users into executing commands via the Windows Run dialog, thereby presenting the harmful action as a necessary verification step. This method represents a notable departure from conventional PowerShell execution techniques, widely monitored by security tools.
The observed attack chain signifies a strategic shift by threat actors, prioritizing meticulous orchestration to bypass detection and analysis. Instead of relying on exploited vulnerabilities or direct payload execution, this campaign focuses on a multi-stage approach designed for stealth and resilience. Security analysts from Blackpoint have detailed how the attackers chain together signed Microsoft components, user-behavior-driven execution gates, third-party services, and in-memory stages to ensure reliability and evade security measures.
Understanding the Fake CAPTCHA Attack and App-V Evasion
The infection mechanism begins when victims encounter a fake CAPTCHA interface that prompts them to paste and execute a command through the Windows Run dialog. This ruse is presented as a mandatory human verification step, a growing tactic in the cyber threat landscape. Crucially, the command directs execution through `SyncAppvPublishingServer.vbs`, a legitimate signed script associated with Microsoft’s Application Virtualization framework, rather than engaging the more commonly monitored `powershell.exe` process directly.
This diversion is effective because it alters the typical process execution path, moving away from the `explorer.exe` to `powershell.exe` sequence. Instead, execution flows through `wscript.exe` to an App-V publishing script, which blends seamlessly with legitimate system activity on machines where App-V components are installed. Attackers leverage the fact that App-V is integrated into enterprise editions of Windows 10 and Windows 11, thereby targeting organizational systems while naturally filtering out standard consumer installations that lack these components.
The initial command also establishes a temporary environment variable named `ALLUSERSPROFILE_X`. This variable acts as a critical execution marker, confirming that the user manually initiated the command. It functions as a gate, preventing the attack’s progression unless this specific marker is detected in the system’s clipboard state. The embedded PowerShell logic reconstructs essential functionality at runtime using aliases and wildcard resolution rather than embedding overt command strings.
For instance, the script employs the shorthand alias `gal` to resolve `Get-Alias` and then uses `gal i*x` to retrieve the `iex` alias, which ultimately points to `Invoke-Expression`. The loader implements a strict clipboard-based execution gate, searching for the `ALLUSERSPROFILE_X` marker. If this marker is absent, the script displays decoy messages through script shell popups and intentionally enters an infinite wait state. This deliberate stalling mechanism is designed to thwart analysis in sandboxed environments that detonate the script without simulating the expected clipboard state, causing them to hang indefinitely rather than failing cleanly.
Execution only proceeds to the next stage when the expected marker is found. This stage involves retrieving configuration data from a public Google Calendar file. This method allows attackers to update the malware’s delivery logic without needing to redeploy earlier stages of the attack. The overall design of this campaign highlights how multiple execution gates, each tied to specific user actions or system state conditions, reinforce the attack chain and significantly complicate casual analysis by security professionals.
Payload and Impact
The ultimate payload of this sophisticated delivery mechanism is Amatera Stealer, a known information-harvesting malware family. However, the innovation lies in the delivery method itself, demonstrating a new approach to packaging and distributing malicious code while actively evading defensive systems. By employing multiple layers of obfuscation and precisely timing the execution of each stage, attackers aim to prolong the operational life of their infrastructure and maintain control over the campaign for extended periods.
The success of this campaign hinges on the manipulation of user judgment and the exploitation of trusted Microsoft infrastructure. This dual approach makes it effective not only against automated security systems but also against human operators who might otherwise recognize malicious activity. The careful planning and execution across multiple stages, with each step reinforcing the security of the previous one, underscores the evolving sophistication of modern cyber threats. The utilization of signed Microsoft components and legitimate system functions by threat actors poses a significant challenge for detection and response efforts.
Moving forward, organizations should review their endpoint detection and response (EDR) policies to ensure they are adequately monitoring for unusual process execution chains, particularly those involving legitimate Microsoft applications like App-V scripts, that deviate from established baselines. The reliance on clipboard data as an execution gate also suggests the need for more granular monitoring of system clipboard contents for anomalous patterns.