EVALUSION ClickFix Campaign

Cybersecurity analysts have uncovered an ongoing wave of malicious activity relying heavily on the widespread ClickFix social‑engineering method. This campaign, tracked as EVALUSION, leverages the technique to distribute both Amatera Stealer and NetSupport RAT, enabling extensive data theft and remote access on infected systems.

From ACR to Amatera: The Evolution of a Stealer

The first signs of Amatera emerged in June 2025, with researchers assessing it as a direct successor to the earlier ACR (AcridRain) Stealer, which previously operated under a malware‑as‑a‑service subscription model. After ACR sales ceased in mid‑July 2024, Amatera surfaced with its own tiered pricing structure ranging from $199 per month to $1,499 per year, making it accessible to a variety of threat actors.

Capabilities Built for Comprehensive Theft

Amatera offers broad data‑gathering features designed to compromise multiple types of user information. Its targets extend across crypto‑wallets, browsers, messaging clients, FTP utilities, and email programs. To avoid detection, it employs advanced evasion tactics, including WoW64 SysCalls, which help it sidestep common user‑mode monitoring used by sandboxes, AV engines, and EDR solutions.

Key data targets include:

• Cryptocurrency wallets and extensions
• Web browsers
• Popular messaging platforms
• FTP clients
• Email applications

ClickFix at Work: The Infection Process

As seen in many ClickFix scenarios, victims are convinced to run a command in the Windows Run dialog under the guise of completing a fake reCAPTCHA challenge on fraudulent phishing sites. This command triggers a chain reaction involving mshta.exe, which executes a PowerShell script. The script retrieves a .NET binary hosted on MediaFire, setting the stage for payload deployment.

PureCrypter and MSBuild: A Stealthy Delivery Chain

The downloaded component is an Amatera Stealer DLL concealed using PureCrypter, a versatile C#‑based loader also sold as a MaaS product by a developer known as PureCoder. Once active, the DLL is injected into MSBuild.exe, allowing the stealer to begin collecting data. It then reaches out to an external server and executes a PowerShell command to download and launch NetSupport RAT.

The execution logic goes through the following steps:

• Checks if the system belongs to a domain
• Looks for potentially valuable files, such as crypto‑wallet data
• Proceeds with NetSupport RAT deployment only if one of these conditions is met

Selective Targeting for Maximum Impact

One of the more unusual aspects of Amatera’s PowerShell routine is its conditional logic. The stealer evaluates whether the infected endpoint is part of a corporate domain or contains high‑value data. If neither criterion is met, NetSupport RAT is intentionally withheld, suggesting the operators seek to conserve resources and focus on systems offering the greatest return.

This targeted approach, combined with ClickFix manipulation and a refined malware ecosystem, underscores the increasing sophistication of modern cybercrime operations.