Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
Essential information
- Published
- 18/06/2025 17:19
- Modified
- 23/06/2025 18:53
- Tags
- 2025-06-18 acr stealer amatera stealer clearfake clickfix information stealer lumma stealer malware-as-a-service ntsockets rhadamanthys web injects wow64 syscalls
- Related entities
- 12 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware
Description
Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64 Syscalls to bypass user-mode hooking, and supports HTTPS requests. It focuses on stealing information from browsers, crypto wallets, and various software. The malware can also execute secondary payloads. Amatera Stealer is actively developed and sold as a malware-as-a-service, with subscription plans ranging from $199 to $1,499.