A new campaign, dubbed “EVALUSION” by eSentire, is leveraging the ClickFix social-engineering technique to deliver the Amatera Stealer and NetSupport RAT malware.
First spotted in June 2025, Amatera is believed to be an evolution of the now-defunct ACR (AcridRain) Stealer, previously sold under a malware-as-a-service model. Amatera also operates on the subscription-based model, with prices ranging from $199 per month to $1,499 per year.
According to eSentire, the stealer offers extensive data-theft capabilities targeting everything from crypto-wallets and web browsers to messaging apps and email clients. It also incorporates advanced evasion techniques, including WoW64 SysCalls, to bypass detection mechanisms used by antivirus and endpoint security tools.
The campaign relies on ClickFix tactics to trick users into running malicious commands via the Windows Run dialog under the guise of completing a reCAPTCHA verification. This triggers a multi-step infection chain that uses mshta.exe to launch a PowerShell script, download a malicious .NET component hosted on MediaFire, and ultimately deploy the Amatera Stealer packed with the PureCrypter loader.
Once active, Amatera injects its DLL into the MSBuild.exe process, exfiltrates sensitive data, and reaches out to an external server to determine whether to deploy NetSupport RAT. The RAT is downloaded only if the victim machine appears to contain high-value data or belongs to a corporate domain, suggesting the attackers are prioritizing more lucrative targets.