Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClickFix fake CAPTCHA campaign delivering Amatera

Campaign
First reported
Last updated
Happening score
H score 35
2 unique sources, 2 articles

Summary

Hide ▲

A ClickFix campaign now uses a fake CAPTCHA and a signed Microsoft App-V script to deliver Amatera to Windows victims, raising the risk of credential theft and follow-on compromise. The operation abuses trusted system components to disguise malicious execution. It also layers PowerShell, WMI, and in-memory loading to reduce detection.

Related Happenings

AI-generated PowerShell Active Directory reconnaissance script

Malware Activity
H score23 First: 09.07.2026 17:00 Last: 09.07.2026 17:00 Sources 1

About this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...

Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints

Defensive Guidance
First: 08.07.2026 20:02 Last: 08.07.2026 20:02 Sources 1

About this happening: AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...

Veil#Drop PureLog Stealer in-memory delivery operation

Malware Activity
H score30 First: 01.07.2026 17:30 Last: 01.07.2026 17:30 Sources 1

About this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...

ClickFix mitigation guidance for Windows and macOS

Defensive Guidance
H score34 First: 30.06.2026 15:00 Last: 30.06.2026 15:00 Sources 1

About this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...

WhatsApp VBScript infection chain installing ManageEngine RMM Central

Malware Activity
H score20 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...

Timeline

  1. 26.01.2026 23:42 2 articles · 5mo ago

    BlackPoint Cyber discloses ClickFix-Amatera campaign

    Initial Disclosure

    BlackPoint Cyber describes a new ClickFix-style campaign that starts with a fake CAPTCHA in the Windows Run dialog, abuses the signed App-V script SyncAppvPublishingServer.vbs through wscript.exe to launch PowerShell, and stages Amatera delivery with WMI, public Google Calendar configuration, PNG steganography on public CDNs, and in-memory shellcode execution. The same reporting also notes that Amatera can collect browser data and credentials and recommends restricting Run dialog access, removing unused App-V components, enabling PowerShell logging, and monitoring outbound connections for host-header or TLS SNI mismatches.

    Show sources