A new malicious campaign mixes the ClickFix method with fake CAPTCHA and a signed Microsoft Application Virtualization (App-V) script to ultimately deliver the Amatera infostealing malware.

The Microsoft App-V script acts as a living-off-the-land binary that proxies the execution of PowerShell through a trusted Microsoft component to disguise the malicious activity.

Microsoft Application Virtualization is an enterprise Windows feature that allows applications to be packaged and run in isolated virtual environments without being actually installed on the system.