Cybersecurity researchers have discovered malware campaigns using the now-prevalent ClickFix social engineering tactic to deploy Amatera Stealer and NetSupport RAT.
The activity, observed this month, is being tracked by eSentire under the moniker EVALUSION.
First spotted in June 2025, Amatera is assessed to be an evolution of ACR (short for “AcridRain”) Stealer, which was available under the malware-as-a-service (MaaS) model until sales of the malware were suspended in mid-July 2024. Amatera is available for purchase via subscription plans that go from $199 per month to $1,499 for a year.
“Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services,” the Canadian cybersecurity vendor said. “Notably, Amatera employs advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Virus solutions, and EDR products.”
As is typically the case with ClickFix attacks, users are tricked into executing malicious commands using the Windows Run dialog in order to complete a reCAPTCHA verification check on bogus phishing pages. The command initiates a multi-step process that involves using the “mshta.exe” binary to launch a PowerShell script that’s responsible for downloading a .NET downloaded from MediaFire, a file hosting service.
The payload is the Amatera Stealer DLL packed using PureCrypter, a C#-based multi-functional crypter and loader that’s also advertised as a MaaS offering by a threat actor named PureCoder. The DLL is injected into the “MSBuild.exe” process, following which the stealer harvests sensitive data and contacts an external server to execute a PowerShell command to fetch and run NetSupport RAT.
“What is particularly noteworthy in the PowerShell invoked by Amatera is a check to determine if the victim machine is part of a domain or has files of potential value, e.g., crypto wallets,” eSentire said. “If neither is found, NetSupport is not downloaded.”
The development dovetails with the discovery of several phishing campaigns propagating a wide range of malware families –
- Emails containing Visual Basic Script attachments that masqueraded as invoices to deliver XWorm by means of a batch script that invokes a PowerShell loader
- Compromised websites injected with malicious JavaScript that redirects site visitors to bogus ClickFix pages mimicking Cloudflare Turnstile checks to deliver NetSupport RAT as part of an ongoing campaign codenamed SmartApeSG (aka HANEYMANEY and ZPHP)
- Using fake Booking.com sites to display fake CAPTCHA checks that employ ClickFix lures to run a malicious PowerShell command that drops a credential stealer when executed via the Windows Run dialog
- Emails spoofing internal “email delivery” notifications that falsely claim to have blocked important messages related to outstanding invoices, package deliveries, and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
