Amatera Stealer and NetSupport RAT Delivered via ClickFix Social Engineering Campaigns
Cybersecurity researchers have identified a surge in malware campaigns leveraging the ClickFix social engineering technique to deploy the Amatera Stealer and NetSupport RAT. These campaigns trick users into executing malicious commands through the Windows Run dialog, often under the guise of completing a reCAPTCHA verification on fraudulent phishing pages. The infection chain typically involves the use of mshta.exe to launch a PowerShell script, which downloads a .NET payload from a file hosting service. The Amatera Stealer DLL, packed with PureCrypter, is injected into the MSBuild.exe process, enabling the malware to harvest sensitive data from crypto-wallets, browsers, messaging apps, FTP clients, and email services. Advanced evasion techniques, such as WoW64 SysCalls and in-memory AMSI patching, are employed to bypass endpoint detection and response (EDR) and antivirus solutions.
The Amatera Stealer, considered an evolution of the ACR Stealer, is available as a malware-as-a-service (MaaS) offering, with subscription plans ranging from $199 to $1,499. The campaigns also deploy NetSupport RAT for remote access and further exploitation. Notably, the PowerShell scripts used by Amatera check for the presence of valuable files or domain membership before proceeding, indicating a targeted approach. These findings highlight the increasing sophistication of social engineering and malware delivery tactics, as well as the growing threat posed by MaaS platforms to organizations and individuals alike.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers reveal Amatera campaign bypasses defenses by patching AMSI in memory
Follow-up reporting disclosed that the Amatera Stealer campaign used ClickFix delivery techniques and evaded detection by patching Microsoft's Antimalware Scan Interface (AMSI) in memory, helping bypass EDR protections. This added technical detail expanded understanding of the same campaign.
EVALUSION launches ClickFix campaign delivering Amatera Stealer and NetSupport RAT
A malware campaign attributed to EVALUSION used ClickFix social-engineering lures to trick users into executing malicious actions, resulting in delivery of Amatera Stealer and NetSupport RAT. The campaign was publicly reported in mid-November 2025.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Amatera Infostealer Delivered via Fake CAPTCHA and Windows App-V Script Abuse
Researchers reported an active campaign distributing **Amatera Stealer** by using fake “human verification”/CAPTCHA pages (often described as *ClickFix*) to trick users into manually pasting and running a command via the Windows **Run** dialog. Instead of launching PowerShell directly, the command abuses the signed Microsoft App-V script `SyncAppvPublishingServer.vbs` to proxy PowerShell execution through trusted Windows components (e.g., `wscript.exe`), helping the activity blend in with legitimate tooling and evade some defenses. On suitable targets—systems where **Application Virtualization (App-V)** is present and enabled (notably Windows 10/11 Enterprise/Education and modern Windows Server)—the infection chain performs anti-analysis checks to hinder sandbox detonation, then pulls staging/configuration data from a public **Google Calendar** (`.ics`) resource. Additional stages are retrieved using **steganography**, including encrypted payloads embedded in PNG images hosted on public infrastructure/CDNs, which are then decrypted and executed in memory to deliver Amatera (described as based on **ACR Stealer** and offered as **malware-as-a-service**). Recommended mitigations highlighted include tightening controls around Run-dialog execution, disabling unnecessary App-V components, increasing PowerShell/script logging visibility, and monitoring for anomalous outbound retrievals to calendar/image-hosting services.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
SmartApeSG ClickFix Campaign Delivers Remcos, NetSupport, StealC, and Sectop RAT
Researchers documented a **SmartApeSG** malware campaign using fake CAPTCHA pages and the **ClickFix** social-engineering technique to trick victims into launching an initial script that led to a multi-stage infection. In observed intrusions, **Remcos RAT** executed first, followed within minutes by **NetSupport RAT**, then **StealC**, and later **Sectop RAT** identified as **ArechClient2**. The activity relied on compromised web infrastructure, rotating delivery domains, attacker-controlled command-and-control servers, and multiple payload packages, with several stages using **DLL side-loading** through legitimate executables while NetSupport RAT was deployed as a legitimate remote administration tool configured for malicious control. Separate analysis tied **Sectop RAT / ArechClient2** to additional follow-on infections, including a chain where a victim seeking cracked software downloaded a password-protected archive that installed **Lumma Stealer** before fetching a 64-bit DLL from `enotsosun[.]pw` and executing it via `rundll32` using the `LoadForm` export. Investigators reported concrete indicators including malware hashes, filenames, persistence artifacts, malicious URLs, and network traffic from Sectop RAT to `91.92.241[.]102` over ports `9000` and `443`, reinforcing that ArechClient2 is being used across varied delivery lures as part of broader credential theft and remote-access operations.
Jun 1, 2026