Security researchers have identified active malware campaigns that use the ClickFix social‑engineering tactic to deliver an information stealer and a remote access trojan. The activity is being tracked by eSentire under the name EVALUSION, which reported the multi‑stage infections involving Amatera and NetSupport RAT.
Amatera has been assessed as an evolution of the ACR stealer and is offered for sale under subscription plans, according to a Proofpoint analysis. Vendors tracking the campaigns describe Amatera as capable of harvesting browser data, crypto wallets and credentials and of using advanced evasion techniques to hinder detection.
The ClickFix lure persuades targets to run a command in the Windows Run dialog to complete a bogus CAPTCHA check, triggering mshta.exe to launch a PowerShell loader that retrieves a .NET component from a file hosting service. That component drops an Amatera DLL that is packed with a C# crypter and loader identified in eSentire analysis as a commercial offering advertised by the actor PureCoder.
Analysts said the Amatera DLL is injected into the MSBuild.exe process to harvest data, and the malware can contact an external server to fetch and launch NetSupport RAT only if the victim machine appears to be part of a domain or contains files of potential value such as crypto wallets. eSentire researchers flagged that conditional check as a mechanism to limit deployment of the RAT on low‑value hosts.
Researchers also described several concurrent phishing campaigns that use other delivery methods and lures. One campaign used Visual Basic Script attachments masquerading as invoices to drop XWorm via a PowerShell loader, while compromised websites injected with malicious JavaScript have redirected visitors to fake ClickFix pages injected and to pages tied to an ongoing operation tracked as SmartApeSG ongoing campaign. Other incidents used faux booking pages and CAPTCHA prompts to run the same Windows Run trick and to deliver credential stealers.
Phishing that spoofs internal email delivery notices has also been observed, with operators using links to siphon credentials and to trick recipients into moving messages back to the inbox spoofing and a related Malwarebytes analysis of the bait used in those emails falsely claim. Researchers also highlighted phishing kits such as Cephas and noted an uncommon obfuscation technique that hampers signature detection in a Barracuda analysis.
Vendors and responders continue to monitor the activity and advise organisations to be wary of unexpected prompts to run commands, to block or inspect suspicious mshta and PowerShell traffic, and to maintain up‑to‑date endpoint protections.