EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

Nov. 19, 2025, 9 a.m.

Description

The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targets crypto-wallets, browsers, and messaging apps. The attack chain involves social engineering, PowerShell stages, and a .NET-based downloader. Amatera communicates with its C2 server using encrypted channels and can deploy additional payloads. The campaign selectively targets systems with valuable data or domain membership before deploying NetSupport RAT. Recommendations include disabling mshta.exe, restricting the Run prompt, implementing phishing awareness training, and using Next-Gen AV or EDR solutions.

External References

https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
https://otx.alienvault.com/pulse/691cf085ce463d915d5c5dc8
Tags
powershell
information theft
clickfix
acr stealer
netsupport rat
c2 communication
evasion techniques
crypto-wallets
amatera stealer
2025-11-18

Date

  • Created: Nov. 18, 2025, 10:17 p.m.
  • Published: Nov. 18, 2025, 10:17 p.m.
  • Modified: Nov. 19, 2025, 9 a.m.

Indicators

  • unpopularnational.com
Download all indicators here!

Attack Patterns

  • Amatera Stealer
  • ACR Stealer
  • NetSupport RAT
  • EVALUSION