Ddos 
It starts with a simple, annoying verification box: “I am not a robot.” But a new campaign identified by The Blackpoint SOC is turning that routine click into a sophisticated infection chain that abuses trusted Microsoft tools and Google services to smuggle malware past defenders.
The Blackpoint SOC has released a report detailing a “new Fake CAPTCHA campaign” that relies on a complex web of deception, steganography, and legitimate infrastructure to deliver the Amatera Stealer.
The attack begins with a “Fake CAPTCHA social engineering prompt,” a technique that has exploded in popularity over the last year. Instead of clicking images of traffic lights, the user is tricked into manually pasting and executing a command in the Windows Run dialog.
But this isn’t a standard PowerShell attack. The hackers have found a way to “proxy execution through a legitimate Windows component” called SyncAppvPublishingServer.vbs.
This script is normally used for managing virtualized enterprise applications, but in this campaign, it serves as a “LOLBIN” (Living Off the Land Binary). “Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths”.
By routing the attack through wscript.exe and the App-V script, the process chain looks like legitimate system activity, allowing it to “slip past environments built to detect obvious malware”.
The sophistication doesn’t stop at the launch. The malware includes “execution gates” that check if the user actually performed the manual steps. If the expected clipboard data isn’t present, the malware “quietly stalls,” preventing security sandboxes from analyzing it.
Once it confirms a real victim is on the hook, the malware reaches out for its orders—not to a suspicious server, but to Google Calendar.
“First, it pulls live configuration from a public Google Calendar file, an example of attackers living off someone else’s infrastructure to keep delivery logic flexible”.
By hiding their command-and-control data inside a standard .ics calendar file, the attackers can “update, rotate, or disable parts of the chain without redeploying earlier stages”.
The final stage of delivery uses steganography—the art of hiding data in images. The malware downloads benign-looking PNG files from public image hosting sites. Hidden inside the pixels of these images is an encrypted payload.
“The embedded payload is extracted, decrypted, and decompressed entirely in memory before execution transitions from PowerShell into native shellcode”.
At the end of this attack flow lies Amatera Stealer, a well-known malware family designed to “harvest browser data and credentials”. While the payload itself is familiar, the method of delivery is what has researchers alarmed.
“What makes this campaign worth paying attention to isn’t the payload itself, but how deliberately it avoids drawing attention along the way”.
By combining trusted Microsoft scripts, Google Calendar, and image steganography, the actors are “optimizing for reliability,” ensuring their attack works only when it’s supposed to—and stays invisible when it’s not.
Related Posts:
- Amatera Stealer Campaign Uses ClickFix to Deploy Malware, Bypassing EDR by Patching AMSI in Memory
- Mac App Store discovers cryptocurrency Miner in “Calendar 2” application
- Amatera Stealer Unveiled: Rebranded ACR Stealer Now More Evasive, Targeting Your Data
- New Phishing Campaign Impersonates Ukrainian Police to Deliver Amatera Stealer and PureMiner
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
