Security researchers have identified an expanding ClickFix attack campaign that combines fake CAPTCHA pages with signed Microsoft Application Virtualization scripts to distribute the Amatera information stealer.

Attack Technique

ClickFix Method

ClickFix attacks manipulate users into executing malicious commands:

  1. Lure: User visits compromised or malicious website
  2. Fake CAPTCHA: Page displays fake verification prompt
  3. Clipboard hijacking: Malicious PowerShell copied to clipboard
  4. User execution: Victim instructed to paste and run command
  5. Payload delivery: Malware downloads and executes

Signed Script Abuse

This campaign leverages legitimate Microsoft Application Virtualization (App-V) scripts:

  • Scripts are digitally signed by Microsoft
  • Security tools may trust signed executables
  • Bypasses some application whitelisting controls
  • Adds legitimacy to malicious activity

Amatera Stealer

The Amatera information stealer targets:

  • Browser data: Passwords, cookies, history, autofill
  • Cryptocurrency wallets: Seed phrases, private keys
  • Application credentials: Discord, Telegram, gaming platforms
  • System information: Hardware IDs, installed software
  • Files: Documents matching specified patterns

Indicators of Compromise

Behavioral indicators:

  • PowerShell execution from unusual parent processes
  • Clipboard monitoring activity
  • Connections to Telegram or Discord APIs for exfiltration
  • Access to browser credential stores

User-facing indicators:

  • Unexpected CAPTCHA prompts on trusted sites
  • Requests to open Run dialog (Win+R)
  • Instructions to paste clipboard contents

Protection Measures

For Organizations

  1. Block PowerShell execution for standard users where possible
  2. Deploy EDR with behavioral detection capabilities
  3. Train users on ClickFix social engineering tactics
  4. Monitor clipboard activity on endpoints
  5. Restrict Run dialog access via Group Policy

For Individuals

  1. Never paste commands you don’t understand
  2. Be suspicious of unusual verification requests
  3. Verify website legitimacy before interacting
  4. Use password managers instead of browser storage
  5. Enable MFA on all accounts