New ClickFix attacks abuse Windows App-V scripts to push malware
Recorded: Jan. 27, 2026, 1 a.m.
| Original | Summarized |
New ClickFix attacks abuse Windows App-V scripts to push malware News Featured New ClickFix attacks abuse Windows App-V scripts to push malware Microsoft patches actively exploited Office zero-day vulnerability Nearly 800,000 Telnet servers exposed to remote attacks Cloudflare misconfiguration behind recent BGP route leak OpenAI's ChatGPT ad costs are on par with live NFL broadcasts Fortinet blocks exploited FortiCloud SSO zero day until patch is ready Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor WinRAR path traversal flaw still exploited by numerous hackers Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityNew ClickFix attacks abuse Windows App-V scripts to push malware New ClickFix attacks abuse Windows App-V scripts to push malware By Bill Toulas January 26, 2026 A new malicious campaign mixes the ClickFix method with fake CAPTCHA and a signed Microsoft Application Virtualization (App-V) script to ultimately deliver the Amatera infostealing malware. While App-V scripts have been leveraged in the past to evade security solutions, this is the first time this type of file has been observed in ClickFix attacks that deliver an information stealer. The ClickFix pageSource: BlackPoint Steganographic image (left) and payload extraction logic (right)Source: BlackPoint Overview of the infection chainSource: BlackPoint The 2026 CISO Budget Benchmark Related Articles: Amatera Stealer Bill Toulas Previous Article Post a Comment Community Rules You need to login in order to post a comment You may also like: Popular Stories Microsoft patches actively exploited Office zero-day vulnerability Microsoft investigates Windows 11 boot failures after January updates Microsoft releases emergency OOB update to fix Outlook freezes Sponsor Posts Discover how phishing kits are sold and deployed. Download the full research report. Is your data already on a leak site? Monitor your exposure threats for free. Get a free shadow AI inventory today Overdue a password health-check? Audit your Active Directory for free Exposure Management Index: Insights From 3,000+ Teams. Get The Report. Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
A new malicious campaign, dubbed ClickFix, is exploiting Windows App-V scripts to deliver the Amatera infostealing malware. This attack utilizes a fake CAPTCHA challenge, requiring victims to manually execute a command via the Windows Run dialog. The core of the attack leverages the legitimate SyncAppvPublishingServer.vbs App-V script, executed through wscript.exe to launch PowerShell and initiate the infection. BlackPoint Cyber researchers identified that the initial stage includes a verification step, ensuring the execution order and clipboard integrity to prevent operation within sandbox environments. If an analysis environment is detected, the script stalls using infinite waits, potentially wasting automated analysis resources. Upon meeting the criteria, the malware retrieves configuration data from a public Google Calendar file, encoded in base64, which contains the configuration values. Subsequent stages involve spawning a 32-bit hidden PowerShell process via the Windows Management Instrumentation (WMI) framework, followed by the decryption and loading of multiple embedded payloads into memory. The infection chain then shifts to hiding payloads utilizing steganography, embedding an encrypted PowerShell payload within PNG images hosted on public CDNs, and retrieving them dynamically via WinINet APIs. Data extraction occurs via LSB steganography, followed by GZip decompression and full-memory execution of the payload. The final PowerShell stage decrypts and launches native shellcode, mapping and executing the Amatera infostealer. Once active, the malware connects to a hardcoded IP address to retrieve endpoint mappings and awaits additional binary payloads delivered via HTTP POST requests. Amatera is classified as a standard infostealer, capable of collecting browser data and credentials from infected systems, and is based on the ACR infostealer, currently under active development as malware-as-a-service (MaaS). Proofpoint researchers noted that Amatera has grown in sophistication with each update. The campaign originated through the ClickFix method, where users were tricked into directly executing a PowerShell command. To mitigate these attacks, BlackPoint Cyber suggests several defensive strategies including restricting access to Windows Run dialog via Group Policy, removing App-V components when unnecessary, enabling PowerShell logging, and monitoring outbound HTTP connections for discrepancies between the HTTP Host header and TLS SNI versus the destination IP address. |