Article Details

New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT. Cybersecurity researchers have discovered malware campaigns using the now-prevalent ClickFix social engineering tactic to deploy Amatera Stealer and NetSupport RAT. The activity, observed this month, is being tracked by eSentire under the moniker EVALUSION. First spotted in June 2025, Amatera is assessed to be an evolution of ACR (short for "AcridRain") Stealer, which was available under the malware-as-a-service (MaaS) model until sales of the malware were suspended in mid-July 2024. Amatera is available for purchase via subscription plans that go from $199 per month to $1,499 for a year. "Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services," the Canadian cybersecurity vendor said. "Notably, Amatera employs advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Virus solutions, and EDR products." As is typically the case with ClickFix attacks, users are tricked into executing malicious commands using the Windows Run dialog in order to complete a reCAPTCHA verification check on bogus phishing pages. The command initiates a multi-step process that involves using the "mshta.exe" binary to launch a PowerShell script that's responsible for downloading a .NET downloaded from MediaFire, a file hosting service. The payload is the Amatera Stealer DLL packed using PureCrypter, a C#-based multi-functional crypter and loader that's also advertised as a MaaS offering by a threat actor named PureCoder. The DLL is injected into the "MSBuild.exe" process, following which the stealer harvests sensitive data and contacts an external server to execute a PowerShell command to fetch and run NetSupport RAT. "What is particularly noteworthy in the PowerShell invoked by Amatera is a check to determine if the victim machine is part of a domain or has files of potential value, e.g., crypto wallets," eSentire said. "If neither is found, NetSupport is not downloaded." The development dovetails with the discovery of several phishing campaigns propagating a wide range of malware families - "What makes Cephas noteworthy is that it implements a distinctive and uncommon obfuscation technique," Barracuda said in an analysis published last week. "The kit obscures its code by creating random invisible characters within the source code that help it evade anti-phishing scanners and obstruct signature-based YARA rules from matching the exact phishing methods."