Attack Flow Steps:

: Attackers initially compromise victims through social engineering via the ClickFix initial access vector. : Initial access vector used to deploy Amatera Stealer and NetSupport RAT. : Victims compelled to execute malicious commands in the Windows Run Prompt. : Multi-stage PowerShell commands executed to deliver malware payloads. : PowerShell stages use obfuscation and XOR decryption against AMSI_RESULT_NOT_DETECTED string. : PowerShell code disables AMSI by overwriting AmsiScanBuffer string in clr.dll memory with null bytes. : Packed with Agile.net, downloads encrypted payload from MediaFire and decrypts via RC2. : Downloads encrypted payload from MediaFire. : Decrypts payload via RC2 encryption algorithm. : Packer used to protect the Amatera Stealer payload. : Pure Crypter uses process injection via SetThreadContext API. : Rebranded ACR Stealer, C++ based information stealer with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services. : Harvests saved passwords, credit cards, and history from 149+ browsers including Chrome, Edge, Firefox, Opera, Brave. : Harvests data for 149+ browser-based crypto-currency wallets and 43+ password managers. : Uses WoW64 SysCalls to evade sandboxes, AV, and EDR via function stubs. : Circumvents Google Chrome and Microsoft Edge App-Bound Encryption via suspended process creation, injection, and COM method calls. : Harvests data from FTP clients, email clients, VPNs, password managers, and desktop crypto-wallets. : Communicates with C2 over TLS using Windows APIs for encryption/decryption. : Amatera C2 server hosted at AS 24940 Hetzner Online GmbH. : Uses HTTP POST requests with JSON-encoded data to communicate with C2. : Harvested data collected into zip archive and sent via HTTP POST to C2. : Collected data archived into zip format before exfiltration. : C2 server hosting PowerShell payload for NetSupport RAT delivery, AS 215540 Global Connectivity Solutions Llp. : PowerShell executed to download and invoke NetSupport RAT payload from remote server. : PowerShell checks if victim machine is part of a domain or has files of potential value like crypto wallets. : Legitimate Remote Monitoring and Management tool abused by threat actors for unauthorized remote access. : PowerShell downloads JPG file containing encrypted NetSupport RAT zip archive. : JPG file decrypted and unzipped to extract NetSupport client. : NetSupport C2 server configured in client32.ini, AS 207461 Hosting Industry Limited. : NetSupport Manager used for full remote access to victim computers

MITRE ATT&CK Techniques:

T1566
T1204
T1059.001
T1027
T1562.001
T1105
T1140
T1055
T1555.003
T1552.001
T1497
T1553.004
T1005
T1573
T1071.001
T1041
T1560.001
T1082
T1219

eSentire's EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT

eSentire’s TRU found that attackers were using ClickFix in late 2025 to deliver Amatera Stealer and NetSupport RAT. Amatera is essentially a rebranded version of the ACR (AcridRain) Stealer, whose source code was sold in 2024. It enables wide-ranging data theft from browsers and crypto wallets to messaging and email apps, and includes advanced evasion techniques like WoW64 SysCalls to bypass common security defenses. Research from @YungBinary https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat

Kristopher Hetzel

29 days ago

Views

Nodes

React Flow