216.73.217.86

EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

· Published 18/11/2025 22:17 · Modified 19/11/2025 09:00

Export JSON

Essential information

Published
18/11/2025 22:17
Modified
19/11/2025 09:00
Tags
2025-11-18 acr stealer amatera stealer c2 communication clickfix crypto wallets evasion techniques information theft netsupport rat powershell
Related entities
1 observables, 1 intrusion sets (apt), 16 techniques (mitre), 3 malware

Description

The eSentire Threat Response Unit identified a malware campaign using as an initial access vector to deploy and . is a rebranded version of , with advanced like WoW64 SysCalls to bypass security solutions. It targets crypto-wallets, browsers, and messaging apps. The attack chain involves social engineering, stages, and a .NET-based downloader. Amatera communicates with its C2 server using encrypted channels and can deploy additional payloads. The campaign selectively targets systems with valuable data or domain membership before deploying . Recommendations include disabling mshta.exe, restricting the Run prompt, implementing phishing awareness training, and using Next-Gen AV or EDR solutions.

External references