Cybersecurity researchers have discovered malware campaigns using the now prevalent ClickFix social engineering tactic to deploy the Amatera Stealer and NetSupport RAT. This activity, tracked by eSentire under the name EVALUSION, was observed this month.
Amatera Stealer and Advanced Evasion
Amatera Stealer, first spotted in June 2025, is considered an evolution of the ACR Stealer, which was previously sold under the malware as a service (MaaS) model. Amatera itself is available for purchase via subscription plans.
The Canadian cybersecurity vendor noted that Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto wallets, browsers, messaging applications, FTP clients, and email services. Notably, Amatera uses advanced evasion techniques, such as WoW64 SysCalls, to bypass user mode hooking mechanisms commonly employed by sandboxes, antivirus solutions, and Endpoint Detection and Response (EDR) products.
The ClickFix Attack Chain
As is typical with ClickFix attacks, users are tricked into executing malicious commands using the Windows Run dialog. They are often lured by bogus phishing pages that demand a reCAPTCHA verification check. The malicious command initiates a multi step process that uses the mshta.exe binary to launch a PowerShell script. This script is responsible for downloading a .NET payload from MediaFire, a public file hosting service.
The payload is the Amatera Stealer DLL, which is packed using PureCrypter, a C# based multi functional crypter and loader also advertised as a MaaS offering. The DLL is injected into the MSBuild.exe process. After the stealer harvests sensitive data, it contacts an external server to execute another PowerShell command to fetch and run the NetSupport RAT. eSentire observed a key feature in this process: Amatera checks to see if the victim machine is part of a domain or if it holds files of potential value, such as crypto wallets. If neither is found, the NetSupport RAT is not downloaded, conserving the attacker's resources.
This development aligns with the discovery of several other sophisticated phishing campaigns propagating malware, including those using Visual Basic Script attachments disguised as invoices to deliver XWorm, and compromised websites injecting malicious JavaScript to redirect visitors to fake Cloudflare Turnstile pages for the purpose of deploying NetSupport RAT. Furthermore, attackers are using phishing kits like Cephas and Tycoon 2FA to evade scanners and steal login credentials. Cephas, for instance, uses a distinctive obfuscation technique by embedding random invisible characters within the source code to confuse anti phishing scanners.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
