Amatera Stealer Unveiled: Rebranded ACR Stealer Now More Evasive, Targeting Your Data

According to a new report from Proofpoint, a previously known threat, ACR Stealer, has been reborn under the alias Amatera Stealer, with enhanced evasion tactics, a revamped command-and-control (C2) scheme, and ongoing development within the malware-as-a-service (MaaS) ecosystem.

“While Amatera Stealer retains the core of its predecessor, it has undergone enough development and enhancement to stand out as a distinct and noteworthy threat,” Proofpoint researchers noted.

The Amatera Stealer shares significant DNA with ACR Stealer, including overlapping code and capabilities. However, Proofpoint emphasizes that the new malware has been extensively modernized:

• Written in C++ and actively maintained
• Offers subscription pricing from $199/month to $1,499/year
• Available through a publicly accessible C2 panel
• Customer support facilitated via Telegram

“This wouldn’t be the first time the creator of this malware family has rebranded the stealer,” Proofpoint observed, citing a likely link to the GrMsk Stealer.

Amatera’s distribution method showcases sophisticated web injection techniques via the ClearFake cluster, which compromises legitimate websites and serves payloads using:

• EtherHiding: JavaScript hosted on Binance Smart Chain contracts
• ClickFix: A social engineering method that uses clipboard access and PowerShell execution

“Users are presented with a fake CAPTCHA… then instructed to press Windows + R followed by Ctrl+V and Enter, effectively executing a malicious PowerShell command,” Proofpoint explains

This command downloads a C# project file (.csproj) that launches a multi-stage payload involving obfuscated PowerShell, AMSI and ETW bypasses, and shellcode injection into a suspended Windows process.

One of Amatera’s standout technical upgrades is its use of NTSockets to interact directly with the Windows AFD driver, bypassing Winsock APIs and evading most endpoint detection tools.

“Interfacing directly with the AFD device… effectively bypasses almost all commonly used Windows networking APIs,” the report explains.

Instead of resolving domains via DNS, Amatera reaches its C2 through hardcoded Cloudflare CDN IPs, obscuring malicious traffic behind a façade of legitimate services.

Amatera also employs direct WoW64 syscalls for API execution, sidestepping user-mode hooks employed by many sandboxes and EDR tools. Its syscall stubs dynamically resolve Windows API functions, fetch system service numbers (SSNs), and invoke system calls directly via WoW64Transition.

“This method of calling Windows APIs was likely introduced to bypass user-mode hooking techniques,” Proofpoint states.

Amatera’s goal remains straightforward—steal data—but it does so with precision and modularity:

• Targeted file exfiltration using NtCreateFile and NtQueryDirectoryFile
• Steals from browsers (cookies, web history), password managers, and crypto wallets
• Injects shellcode to bypass Chrome’s App Bound Encryption
• Harvests data from messaging apps, email clients, SSH/FTP software, and browser extensions

The malware also supports secondary payload execution, using either ShellExecuteA or Invoke-Expression in PowerShell depending on the payload format.

Proofpoint underscores that Amatera is under active development. New samples suggest support for HTTPS-based C2 channels, obfuscation improvements, and stealthier payload delivery.

“Amatera Stealer is actively undergoing improvements to make the malware stealthier from detection… while being used by threat actors with clever attack chains,” the report concludes.

Related Posts:

• Your Smart TV is Watching You: New Research Reveals the Extent of ACR Tracking
• Zerologon Vulnerability Strikes Again: RansomHub Exploits Legacy Flaw
• CVE-2023-0045 flaw allows hackers bypass Spectre-BTI user space mitigations on Linux
• Lynx Ransomware: The Evolution of INC Ransomware into a Potent Cyber Threat
• Stealth, Persistence, and Privilege Escalation: A Sophisticated PUMAKIT Linux Malware