In November 2025, the cybersecurity landscape witnessed the emergence of a sophisticated malware campaign that artfully blends social engineering techniques with advanced data theft tools. This unsettling development has raised alarms among security experts and businesses alike.
The attack initiates with a deceptive maneuver known as ClickFix, where cybercriminals lure unsuspecting users into executing commands via the Windows Run window. By following these seemingly innocuous instructions, users unwittingly expose their systems to a formidable malware known as Amatera Stealer. This advanced piece of software is engineered to extract sensitive information from browsers, cryptocurrency wallets, and password managers.
Shortly after the initial breach, the attackers deploy NetSupport RAT, granting them comprehensive remote access to the compromised computer. Security analysts from eSentire have identified this malware as a significant evolution in cyberattack strategies, highlighting the alarming trend of integrating multiple tools to maximize damage.
The attack chain is meticulously crafted, relying on social engineering tactics that persuade users to open the Run prompt and execute specific commands. These commands set off a hidden sequence that ultimately delivers Amatera Stealer onto the victim’s machine. What amplifies the threat is the malware’s ability to obscure its true intentions, employing obfuscated PowerShell code that complicates analysis for security researchers. A notable tactic involves XOR encryption with the string “AMSIRESULTNOT_DETECTED,” which is used to decrypt subsequent stages while misleading security efforts.
One of the most alarming features of this campaign is the advanced evasion techniques utilized by Amatera Stealer. Originally marketed as ACR Stealer by a group known as SheldIO, this malware has since been rebranded. It employs WoW64 SysCalls to circumvent common security measures, including antivirus software and endpoint detection systems, rendering even well-protected machines vulnerable.
The Infection Mechanism and Detection Evasion
The infection process begins with a .NET-based downloader that retrieves and decrypts payloads using RC2 encryption from platforms such as MediaFire. This downloader is packed with Agile.net, complicating analysis for cybersecurity teams. Upon execution, it deploys a Pure Crypter-packed file that utilizes advanced process injection techniques.
In a further demonstration of its cunning, the malware disables AMSI (Anti-Malware Scan Interface) by overwriting the “AmsiScanBuffer” string in the system’s memory. This effectively neutralizes Windows’ built-in security scanning for the duration of the attack. Amatera communicates with its command servers through encrypted channels that evade traditional security monitoring. By leveraging Windows APIs alongside WoW64 syscalls, it encrypts all communications with AES-256-CBC, making traffic inspection virtually impossible.
The malware aggregates stolen data into zip files and transmits them to criminal servers via these encrypted pathways. Its loader functionality allows for the selective execution of additional payloads, targeting high-value assets such as computers housing cryptocurrency wallets or those connected to business networks. This strategic focus on valuable targets underscores the necessity for modern security frameworks to incorporate multiple layers of protection.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
