Malware

AmateraStealer

AmateraStealer is an information-stealing malware family observed as part of a broader multi-family cybercriminal distribution ecosystem. Breakglass Intelligence reporting cited it alongside ACRStealer, SectopRAT, and NetSupport RAT as sharing infrastructure, delivery mechanisms, and operational patterns, and described the operator as running a multi-family stealer network. High-confidence reporting links AmateraStealer infrastructure to the ALTAWK/DGTLS-MNT bulletproof hosting cluster in Amsterdam, including infrastructure at 77.91.96.205. The same hosting environment was also associated with NetSupport RAT deployments and BrowserWare ClickFix campaigns. Reporting further states that ACRStealer delivery mechanisms included AmateraStealer, indicating it functioned as one of several loaders or distribution paths within the ecosystem. No additional malware-internal capabilities, infection chain details, or family-specific indicators beyond the shared infrastructure and ecosystem overlap were directly provided in the source content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques

T1583.003Virtual Private ServerEvidence1

MITRE ATT&CK Mapping ... Resource Development Acquire Infrastructure: VPS T1583.003 VDSINA VPS procurement (17 servers)

T1584.004ServerEvidence1

MITRE ATT&CK Mapping ... Resource Development Compromise Infrastructure T1584.004 Compromised acecareer.edu WordPress for payload hosting

Initial Access

3 techniques

T1189Drive-by CompromiseEvidence1

Attack Chain: From Fake RAM Booster to Full Credential Theft ... Also: ClickFix/FakeCaptcha -> PowerShell (vocals.ps1)

T1566PhishingEvidence1

MITRE ATT&CK Mapping ... Initial Access Phishing T1566 ClickFix/FakeCAPTCHA social engineering

T1566.002Spearphishing LinkEvidence2

MITRE ATT&CK Mapping ... Initial Access Phishing: Spearphishing Link T1566.002 Cracked software download links

Execution

4 techniques

T1059.001PowerShellEvidence1

Stage 2: The PowerShell Vector (vocals.ps1) ... The dropper forces execution into 32-bit mode via SysWOW64 ... It then XOR-decrypts an embedded .NET assembly

T1106Native APIEvidence1

MITRE ATT&CK Mapping ... Execution Native API T1106 ntdll.dll NtCreateThreadEx / NtAllocateVirtualMemory

T1204.002Malicious FileEvidence1

MITRE ATT&CK Mapping ... Execution User Execution: Malicious File T1204.002 Trojanized Chris-PC RAM Booster installer

T1574.001DLLEvidence1

The installer bundles a legitimate copy of Chris-PC RAM Booster alongside a malicious DLL. When the user runs the installer ... DLL search order hijacking ensures the malicious payload executes before the real application loads.

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

Calls NtAllocateVirtualMemory to allocate RWX memory in the current process ... Calls NtCreateThreadEx to spawn a thread executing the shellcode

Stealth

5 techniques

T1027Obfuscated Files or InformationEvidence1

MITRE ATT&CK Mapping ... Defense Evasion Obfuscated Files T1027 3-layer encryption: XOR -> AES-256-CBC -> RC4

T1036MasqueradingEvidence1

MITRE ATT&CK Mapping ... Defense Evasion Masquerading T1036 Trojanized legitimate RAM Booster installer

T1055Process InjectionEvidence1

Calls NtAllocateVirtualMemory to allocate RWX memory in the current process ... Calls NtCreateThreadEx to spawn a thread executing the shellcode

T1497Virtualization/Sandbox EvasionEvidence1

Heaven's Gate (WoW64 x64 Execution) ... The shellcode uses the Heaven's Gate technique to transition from 32-bit (WoW64) execution context to native 64-bit code ... This defeats 32-bit debuggers and analysis tools

T1574.001DLLEvidence1

Credential Access

2 techniques

T1555Credentials from Password StoresEvidence1

MITRE ATT&CK Mapping ... Credential Access Credentials from Password Stores T1555 Browser, password manager, email client theft

T1555.003Credentials from Web BrowsersEvidence1

MITRE ATT&CK Mapping ... Credential Access Credentials from Web Browsers T1555.003 Chrome/Firefox/Edge credential extraction

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence1

Collection

1 technique

T1005Data from Local SystemEvidence1

MITRE ATT&CK Mapping ... Collection Data from Local System T1005 Document harvesting (DOC/TXT/PDF)

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

MITRE ATT&CK Mapping ... Command and Control Application Layer Protocol: HTTPS T1071.001 HTTPS C2 on port 443

T1102.001Dead Drop ResolverEvidence1

Dead Drop Resolver: Hiding C2 in Plain Sight ... The attacker creates profiles on Steam Community, Google Docs, Google Slides, or Telegram ... The malware fetches the page ... and decodes the Base64 to obtain the real C2 address

T1573.001Symmetric CryptographyEvidence1

MITRE ATT&CK Mapping ... Command and Control Encrypted Channel T1573.001 AES-256-CBC + RC4 C2 communication

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

Stolen data is compressed into ZIP archives and exfiltrated via HTTPS POST to https://{C2}/Up/x . Later variants use encrypted endpoints at https://{C2}/enc_Up/x .

INDICATORS OF COMPROMISE

IOCs tracked for this family

44 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

30 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

14 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app17 days ago

domain●●●●●●●●●●●●View more in app3 months ago

hash.md5●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

breakglass intelNews

Mar 12, 2026

ClickFix Drops SectopRAT Through Three Encryption Layers: 42 Domains, 156 Subdomains, and a 48-Hour Infrastructure Blitz on .in.net - Breakglass Intelligence - Breakglass Intelligence

A stealer family named as part of the same multi-family stealer ecosystem sharing infrastructure and delivery patterns with SectopRAT.

breakglass intelNews

Mar 8, 2026

ACRStealer Dissected: Decrypted Kill Chain, Stolen ASUS EV Certificate, and 9 Live C2 Servers Operating a Multi-Family Stealer Network - Breakglass Intelligence - Breakglass Intelligence

Stealer malware described as part of ACRStealer's broader distribution ecosystem and infrastructure overlap, acting as a cross-family delivery partner with shared infrastructure.

breakglass intelNews

Mar 5, 2026

Dissecting a Ukraine-Targeted LNK Campaign: Cyrillic Homoglyphs, Fileless PowerShell, and Bulletproof Hosting - Breakglass Intelligence - Breakglass Intelligence

Information-stealing malware previously associated with the same ALTAWK/DGTLS-MNT infrastructure cluster.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching44

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.