Overview
- Researchers say the attack begins with a fake CAPTCHA page that instructs users to press Win+R and paste a command, triggering the infection.
- The command abuses the signed SyncAppvPublishingServer.vbs App‑V script via wscript.exe to proxy PowerShell through a trusted execution path.
- The loader verifies manual execution and checks clipboard contents and step order, then stalls indefinitely if a sandbox or analysis environment is suspected.
- Configuration is fetched from a public Google Calendar event, followed by in‑memory decryption of payloads extracted from PNGs on public CDNs using LSB steganography.
- Defenders are advised to restrict the Windows Run dialog via Group Policy, remove unneeded App‑V components, enable PowerShell logging, and monitor outbound traffic; researchers note this is the first observed use of App‑V scripts in ClickFix deliveries.