Cybersecurity researchers have discovered malware campaigns using the now-prevalent ClickFix social engineering tactic to deploy Amatera Stealer and NetSupport RAT.
The activity, observed this month, is being tracked by eSentire under the moniker EVALUSION.
First spotted in June 2025, Amatera is assessed to be an evolution of ACR (short for “AcridRain”) Stealer, which was available under the malware-as-a-service (MaaS) model until sales of the malware were suspended in mid-July 2024. Amatera is available for purchase via subscription plans that go from $199 per month to $1,499 for a year.
“Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services,” the Canadian cybersecurity vendor said. “Notably, Amatera employs advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Virus solutions, and EDR products.”
As is typically the case with ClickFix attacks, users are tricked into executing malicious commands using the Windows Run dialog in order to complete a reCAPTCHA verification check on bogus phishing pages. The command initiates a multi-step process that involves using the “mshta.exe” binary to launch a PowerShell script that’s responsible for downloading a .NET downloaded from MediaFire, a file hosting service.
The payload is the Amatera Stealer DLL packed using PureCrypter, a C#-based multi-functional crypter and loader that’s also advertised as a MaaS offering by a threat actor named PureCoder. The DLL is injected into the “MSBuild.exe” process, following which the stealer harvests sensitive data and contacts an external server to execute a PowerShell command to fetch and run NetSupport RAT.
“What is particularly noteworthy in the PowerShell invoked by Amatera is a check to determine if the victim machine is part of a domain or has files of potential value, e.g., crypto wallets,” eSentire said. “If neither is found, NetSupport is not downloaded.”
The development dovetails with the discovery of several phishing campaigns propagating a wide range of malware families –
- Emails containing Visual Basic Script attachments that masqueraded as invoices to deliver XWorm by means of a batch script that invokes a PowerShell loader
- Compromised websites injected with malicious JavaScript that redirects site visitors to bogus ClickFix pages mimicking Cloudflare Turnstile checks to deliver NetSupport RAT as part of an ongoing campaign codenamed SmartApeSG (aka HANEYMANEY and ZPHP)
- Using fake Booking.com sites to display fake CAPTCHA checks that employ ClickFix lures to run a malicious PowerShell command that drops a credential stealer when executed via the Windows Run dialog
- Emails spoofing internal “email delivery” notifications that falsely claim to have blocked important messages related to outstanding invoices, package deliveries, and Request for Quotations (RFQs) in order to trick recipients into clicking on a link that siphons login credentials under the pretext of moving the messages to the inbox
- Attacks using phishing kits named Cephas (which first emerged in August 2024) and Tycoon 2FA to lead users to malicious login pages for credential theft
“What makes Cephas noteworthy is that it implements a distinctive and uncommon obfuscation technique,” Barracuda said in an analysis published last week. “The kit obscures its code by creating random invisible characters within the source code that help it evade anti-phishing scanners and obstruct signature-based YARA rules from matching the exact phishing methods.”
