A recently identified campaign uses a combination of social engineering and genuine Windows components to deliver information-stealing malware in a sophisticated manner. The attack starts with a false CAPTCHA prompt that poses as a necessary verification step, tricking users into manually executing commands via the Windows Run dialog. The attackers take advantage of Microsoft's Application Virtualization framework to evade detection rather than employing conventional PowerShell execution techniques that security tools frequently monitor.

Threat actors' methods for delivering malware have significantly changed as a result of the attack chain. In order to withstand automated analysis and security monitoring, the campaign places a higher priority on meticulous orchestration of every stage than on vulnerability exploitation or direct payload execution.

Instead of embedding obvious command strings, the embedded PowerShell logic uses aliases and wildcard resolution to reconstruct sensitive functionality at runtime. One of three CDNs provided the PNG image (Source: Blackpoint). For instance, the script calls gal i*x to retrieve the iex alias, which ultimately points to Invoke-Expression, after using the shorthand alias gal to resolve Get-Alias.

A clipboard-based execution gate that looks for the ALLUSERSPROFILE_X marker is immediately enforced by the loader. If that marker is missing, the script uses script shell popups to display fake messages before purposefully stalling by going into an infinite wait state. Because they hang indefinitely instead of failing cleanly, this intentional inhibition prevents analysis in sandboxes that detonate the script without simulating the expected clipboard state.