Security experts are sounding the alarm this month over a dangerous new wave of cyberattacks. Hackers are using a surprisingly simple but effective social engineering trick, dubbed “ClickFix,” to infect computers with two powerful types of malicious software: Amatera Stealer and the NetSupport RAT. Researchers at the cybersecurity firm eSentire are actively tracking this campaign, which they have code-named EVALUSION. This combination of attack methods is particularly worrying because it shows how criminals are blending basic psychological tricks with highly advanced hacking tools to steal sensitive information and take full control of victims’ machines.

The Vicious New Tool: Amatera Stealer

Amatera Stealer itself is a relatively new threat, first appearing on the dark web in June 2025. Security analysts believe it’s a significant upgrade to an older malware called ACR Stealer, which was pulled from the market in mid-2024. Today, Amatera is being sold to other criminals through a subscription model, much like a legitimate software service. This “Malware-as-a-Service” (MaaS) setup makes it accessible to a wide range of attackers, even those without deep technical skills. The price for this dangerous tool ranges from $199 for a monthly license to nearly $1,500 for a full year of access.

What makes Amatera so dangerous is its specialization. Its creators designed it to be a comprehensive data thief. Once it infects a computer, it immediately hunts for a treasure trove of personal data. This includes login details saved in web browsers, sensitive files from FTP clients, private messages from chat apps, and access to email accounts. However, its primary target appears to be financial. The stealer relentlessly searches for digital “crypto-wallets,” aiming to drain victims of their Bitcoin and other cryptocurrencies. To make matters worse, Amatera is built to be stealthy. It uses sophisticated evasion methods, specifically something called WoW64 SysCalls, to hide from the very programs designed to stop it. This technique helps it bypass common detection methods used by antivirus (AV) software, sandbox environments, and advanced Endpoint Detection and Response (EDR) products. In simple terms, it knows how to stay invisible.

The “ClickFix” Trick: How They Get In

The main way hackers are spreading Amatera is through the clever “ClickFix” tactic. This attack starts on a malicious or compromised website. The victim is presented with a fake pop-up, often disguised as a standard reCAPTCHA or a Cloudflare security check, claiming the user needs to “verify” they are human. Instead of just clicking a box, the scam instructs the user to complete a manual step to prove their identity.

This is where the trick lies. The site tells the user to press the Windows key + R to open the “Run” dialog box, then paste in a seemingly harmless command and press Enter. Many users, believing this is just a quirky but legitimate security step, follow the instructions. The moment they hit “Enter,” the attack begins. The command they just ran silently triggers “mshta.exe,” a legitimate Windows utility, which in turn launches a PowerShell script.

This script acts as the first-stage downloader. It connects to the file-hosting service MediaFire and downloads the main payload. This payload is the Amatera Stealer, but it’s been “packed” using another criminal tool called PureCrypter. Think of a crypter as a digital invisibility cloak that scrambles the malware’s code to prevent antivirus scanners from recognizing it. This packed file, a DLL, is then sneakily injected into a legitimate Windows process called “MSBuild.exe.” Because MSBuild is a trusted part of the Windows system, the malware can now operate from within it, effectively hiding in plain sight.

From Theft to Total Control: The Final Step

Once Amatera Stealer is active, it begins its primary mission: harvesting all the valuable data it was designed to find. After it has stolen the passwords, crypto keys, and other sensitive files, it “phones home” to a command-and-control server run by the hackers. But the attack doesn’t stop there.

The server then sends back a new PowerShell command for the infected computer to run. This second command is designed to download and install NetSupport RAT. A RAT, or Remote Access Trojan, is even more invasive than a stealer. It grants the attackers complete, real-time remote control over the victim’s machine. They can see the screen, record keystrokes, steal more files, and use the computer to launch other attacks.

However, the researchers at eSentire discovered a fascinating detail. The malware is selective. Before downloading the NetSupport RAT, Amatera performs a check on the victim’s machine. It looks for two things: first, if the computer is part of a corporate or business network (a “domain”), and second, if it contains files of high value, like crypto-wallets. If the machine is just a standard home computer with nothing valuable found, the malware doesn’t bother downloading the RAT. This shows the attackers are prioritizing high-value targets, like businesses or wealthy individuals, for their full-scale takeover, while only bothering with simple data theft for less valuable victims.

Part of a Larger, Dangerous Wave

This “EVALUSION” campaign is not happening in isolation. Security experts warn that it’s part of a much broader trend of phishing and social engineering attacks that have escalated recently. For instance, other campaigns are using email attachments disguised as invoices. These attachments contain Visual Basic Scripts that, when opened, deliver a malware called XWorm. Another campaign, codenamed SmartApeSG, has been hacking into legitimate websites and injecting code that redirects visitors to fake ClickFix pages mimicking Cloudflare checks, all to deliver the same NetSupport RAT.

The same social engineering trick is also being seen on spoofed websites. Hackers have built fake versions of the popular travel site Booking.com that present users with a fake CAPTCHA. Just like in the Amatera campaign, this check tricks the user into running a malicious command via the Windows Run dialog, which immediately installs a credential-stealing virus. Other attackers are sticking to more traditional email phishing, sending out fake “email delivery failure” notifications. These messages claim an important invoice or package delivery notice is blocked, duping the recipient into clicking a link to “release” the message. This link, of course, leads to a fake login page designed to siphon their credentials.

To pull off these credential theft attacks, criminals are increasingly relying on pre-built “phishing kits” like Tycoon 2FA and the newly emerged Cephas. Barracuda, another security firm, recently analyzed the Cephas kit, which first appeared in August 2024. They found it uses a unique and sneaky method to hide its malicious code. It scatters random, invisible characters throughout its source code. This simple trick is incredibly effective at confusing automated anti-phishing scanners and breaking signature-based detection rules (like YARA rules) that look for exact code matches, allowing the phishing pages to remain undetected for longer.