Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
June 23, 2025, 6:53 p.m.
Description
Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64 Syscalls to bypass user-mode hooking, and supports HTTPS requests. It focuses on stealing information from browsers, crypto wallets, and various software. The malware can also execute secondary payloads. Amatera Stealer is actively developed and sold as a malware-as-a-service, with subscription plans ranging from $199 to $1,499.
Tags
Date
- Created: June 18, 2025, 5:19 p.m.
- Published: June 18, 2025, 5:19 p.m.
- Modified: June 23, 2025, 6:53 p.m.
Indicators
- ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55
- 7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea
- 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af
- 2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991
- 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2
- 055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b
- tt.cbrw.ru
- cv.cbrw.ru
- b1.talismanoverblown.com
- badnesspandemic.shop
- overplanteasiest.top
- amaprox.icu