ClickFix fake CAPTCHA campaign delivering Amatera
Campaign
Summary
Hide ▲
Show ▼
A ClickFix campaign now uses a fake CAPTCHA and a signed Microsoft App-V script to deliver Amatera to Windows victims, raising the risk of credential theft and follow-on compromise. The operation abuses trusted system components to disguise malicious execution. It also layers PowerShell, WMI, and in-memory loading to reduce detection.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive Guidance
First: 08.07.2026 20:02
Last: 08.07.2026 20:02
Sources 1
About this happening:
AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive GuidanceAbout this happening: AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
H score30
First: 01.07.2026 17:30
Last: 01.07.2026 17:30
Sources 1
About this happening:
**Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware ActivityAbout this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
Timeline
-
26.01.2026 23:42 2 articles · 5mo ago
BlackPoint Cyber discloses ClickFix-Amatera campaign
Initial DisclosureBlackPoint Cyber describes a new ClickFix-style campaign that starts with a fake CAPTCHA in the Windows Run dialog, abuses the signed App-V script SyncAppvPublishingServer.vbs through wscript.exe to launch PowerShell, and stages Amatera delivery with WMI, public Google Calendar configuration, PNG steganography on public CDNs, and in-memory shellcode execution. The same reporting also notes that Amatera can collect browser data and credentials and recommends restricting Run dialog access, removing unused App-V components, enabling PowerShell logging, and monitoring outbound connections for host-header or TLS SNI mismatches.
Show sources
- New ClickFix attacks abuse Windows App-V scripts to push malware — www.bleepingcomputer.com — 26.01.2026 23:42
- ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services — thehackernews.com — 27.01.2026 16:38