This campaign revolves around a Fake CAPTCHA lure, but what makes it notable is not the social engineering itself—it’s how carefully the attackers control execution from start to finish. Rather than exploiting a vulnerability or dropping malware immediately, the chain is designed to validate user behavior, execution order, and environment suitability before progressing. Every stage reinforces the idea that delivery is not just a transport mechanism, but a core part of the attack logic.
At the center of this activity is the abuse of a signed Microsoft Application Virtualization (App-V) script, SyncAppvPublishingServer.vbs, which is repurposed as a living-off-the-land binary (LOLBIN). Instead of launching PowerShell directly, the attacker proxies execution through this legitimate Microsoft component, reshaping the process lineage and avoiding common, high-signal execution paths.
Fake CAPTCHA as a User-Driven Execution Gate
The infection chain begins with a Fake CAPTCHA prompt instructing the user to paste and execute a command via the Windows Run dialog. The action is framed as a required step to complete a human verification challenge. This tactic has become increasingly common, but in this campaign it serves a deeper purpose than simple initial execution.
Rather than immediately delivering malware, the early stages are designed to confirm that the user manually executed the command and that execution unfolded in the expected order. If these conditions are not met, the chain does not fail loudly or exit—it quietly stalls. This behavior makes the delivery flow itself a detection-evasion mechanism, frustrating automated analysis and sandbox detonation that lack realistic user interaction.
Proxying Execution Through App-V
Instead of invoking PowerShell directly, the supplied command launches wscript.exe, which executes SyncAppvPublishingServer.vbs, a signed script normally used to publish and manage virtualized enterprise applications. In this context, the script is abused as a trusted proxy for PowerShell execution.
This alters the execution chain from the commonly monitored explorer.exe → powershell.exe path into explorer.exe → wscript.exe → SyncAppvPublishingServer.vbs → powershell.exe. On systems where App-V components are present, this execution pattern can blend in as legitimate enterprise activity.
App-V is not universally available. It is built into Enterprise and Education editions of Windows 10 and Windows 11, as well as modern Windows Server releases, but is absent on Home and Pro editions. This limitation becomes an advantage for the attacker. Systems without App-V fail early, filtering out many sandbox environments and lower-value hosts while favoring enterprise-managed machines.
As part of initial execution, the command sets a temporary environment variable named ALLUSERSPROFILE_X to an opaque value. While meaningless on its own, this value later becomes a critical execution marker used to validate user-driven interaction.
Alias Abuse and In-Memory Loaders
The embedded PowerShell logic avoids obvious strings and sensitive cmdlet names by reconstructing functionality at runtime. Aliases such as gal (Get-Alias) and gcm (Get-Command) are combined with wildcard matching to dynamically resolve high-risk cmdlets like Invoke-Expression and Invoke-RestMethod. This technique minimizes static indicators and complicates detection.
Once reconstructed, the script retrieves a remote PowerShell stage and executes it entirely in memory. That returned script, identified as herf54, contains no immediately readable logic. Instead, it consists of thousands of variables with cmdlet-like names, each holding short base64 fragments. At runtime, these fragments are assembled into an ordered array, concatenated, decoded, and executed via ScriptBlock.Create. This stage exists purely to bury the next loader under overwhelming noise.
Custom Networking and Clipboard-Based Gating
The decoded loader implements its own HTTPS retrieval routine using System.Net.Sockets.TcpClient and System.Net.Security.SslStream, manually constructing HTTP requests and parsing responses. This avoids standard PowerShell networking cmdlets and the telemetry associated with them.
Before progressing, the loader enforces another execution gate tied to clipboard contents. It resolves clipboard access through obfuscation, ultimately calling Get-Clipboard and checking for a marker matching the earlier ALLUSERSPROFILE_X value. If the marker is missing, the script displays decoy pop-ups using WScript.Shell.Popup() and then stalls indefinitely using ManualResetEvent().WaitOne(). This behavior intentionally prevents clean failure in sandbox environments.
Configuration via Google Calendar
Once clipboard validation succeeds, the loader retrieves configuration data from a public Google Calendar .ics file. Although presented as a calendar object, the file is treated as plain text and parsed manually. The loader searches for a VEVENT entry with a SUMMARY value of povvv and extracts the associated DESCRIPTION field.
After normalization and base64 decoding, the configuration resolves to three values controlling subsequent delivery stages. One of these is used to issue an additional execution-gate request incorporating the clipboard token, reinforcing execution ordering and user interaction validation.
The loader then generates a victim-specific subdomain by hashing environment-derived values with MD5 and truncating the result to eight hexadecimal characters. This subdomain is combined with configuration parameters to form the next request URL.
Steganographic Payload Delivery
Later stages transition to PNG-based steganography. Instead of downloading scripts directly, the loader retrieves a benign-looking PNG image from one of several public CDNs. Using System.Drawing, it accesses the raw pixel buffer and extracts hidden data using Least Significant Bit (LSB) steganography.
The loader first reconstructs a payload length from the initial bits, then deterministically rebuilds each byte from pixel data. The extracted stream is decrypted using a repeating XOR operation with a derived key, then GZip-decompressed and executed entirely in memory. No intermediate files are written to disk.
Transition to Native Execution and Amatera Stealer
The final PowerShell stages serve only to decrypt and stage shellcode in memory. Using native Windows system calls such as NtAllocateVirtualMemory and NtProtectVirtualMemory, the loader allocates executable memory and transfers execution to the shellcode via a new thread.
That shellcode maps and executes Amatera Stealer, an established information-stealing malware family. The payload communicates with its command-and-control server using layered encryption, direct socket operations via \Device\Afd\Endpoint, and spoofed HTTP Host headers. Configuration and tasking are handled dynamically, consistent with previously observed Amatera campaigns.
IOCs
| Filename | Hash | Context / Notes |
| herf54 | b61fe68f0b1bef12eed8a34769120d77579af9d3c529ac48dfe82a08eefa001b | Retrieved from initial Fake CAPTCHA |
| basic.ics | 64d723ead9b43a049f9c8e23c8d4ec09ffabeac2d9b079c863c89a4aab7c9a45 | Malicious Google Calendar .ics file |
| N/A | 9c35e9f637365706c00acaa050a4510adfcb47e7052b870c6d07f6d4464ac2d2 | Intermediary PowerShell stage returned from Google Calendar C2 callout |
| N/A | 3df78f628494b9d8d560ee2841fc3b5da6eecf9397f693f4416dab9e573ce38f | Intermediary PowerShell stage leveraging PNG stego |
| qhs9hr5gPqez.png | bbfc4b48676aa78b5f18b50e733837a94df744da329fe5b1b7ba6920d9e02dc3 | PNG embedded with PowerShell payload |
| fOa2bcJ.png | bbfc4b48676aa78b5f18b50e733837a94df744da329fe5b1b7ba6920d9e02dc3 | PNG embedded with PowerShell payload |
| YzkCM2.png | bbfc4b48676aa78b5f18b50e733837a94df744da329fe5b1b7ba6920d9e02dc3 | PNG embedded with PowerShell payload |
| N/A | 5339d1169e2187a482fcbc86ea94e9799bb9dbaf264622595ee6e94b54b51778 | Decompressed PowerShell payload extracted from PNG |
| N/A | d8db6df5c28db9967206c652d5f48d46b6f863b4c4abb2f234ce8f41aea601cc | Final stage PowerShell shellcode loader |
| N/A | 18dad9cb91fb97a817e00fa0cd1cb9ab59f672b8ddab29f72708787f19bf6aa1 | Shellcode loader for Amatera |
Why This Campaign Matters
Nothing about the final payload is particularly novel. What makes this campaign significant is how intentionally every stage is engineered to avoid attention. By combining signed Microsoft components, user-assisted execution, clipboard-based gating, third-party infrastructure, and fully in-memory loaders, the attackers optimize for reliability and longevity.
This is the kind of activity that bypasses environments tuned to detect obvious malware and only surfaces once the damage is already done. As Fake CAPTCHA lures continue to thrive, defenders must focus not just on what executed, but on how trust was abused to let it execute at all.
