Cybersecurity group eSentire has discovered that a technique known as ClickFix is being exploited to trick victims into deploying credential harvesting malware, Amatera Stealer and NETSupport RAT, using fake CAPTCHA-style pop-ups.
eSentire’s Threat Response Unit (TRU) has been tracking the escalation of a campaign that exploited ClickFix to gain initial access to targeted systems in November. According to TRU, attackers are using this method to socially engineer victims into manually running malicious commands through the Windows Run prompt.
When these commands are executed, they begin an infection chain that ends with the deployment of Amatera Stealer and NetSupport RAT. These are all legitimate remote monitoring tools that are being repurposed by cybercriminals for unauthorized remote access.
ClickFix campaign uses reCAPTCHA to introduce malware
For eSentire research published Last Thursday, hackers were luring victims with fake websites and pop-ups that looked like “security checks,” including a fraudulent reCAPTCHA verification box and a fake Cloudflare Turnstile page.
Deceptive interfaces prompt users to “fix” a supposed problem, leading them to execute harmful commands without realizing the risks. When the first command is run, Amatera Stealer will be deployed first, followed by NetSupport Manager being installed. This allows hackers to monitor and control compromised machines as if they were physically present.
Amatera Stealer is not an entirely new threat, but is the latest evolution of ACR Stealer, also known as AcridRain. The previous version first appeared as a malware-as-a-service product on hacker forums in 2024, and was deployed by several users through subscription packages.
ACR was suspended in mid-2024 after a developer known online as SheldIO sold the malware’s source code. Despite the sales announcement, the group said it was “not finished” with development. Researchers now believe that Amatera is a direct successor to ACR, rebuilt with more features and new evasion techniques.
Amatera was discovered by security auditing firm Proofpoint in June and is available on a subscription basis starting at $199 per month to $1,499 per year.
“Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion strategies like WoW64 SysCalls and evades user-mode hooking mechanisms used by sandboxes, antivirus solutions, and EDR products,” eSentire said.
The malware is written in C++ and can: harvest Saved passwords, card details, browsing history, and files from browsers such as Chrome, Brave, Edge, Opera, Firefox, and specialized platforms such as the Tor browser and Thunderbird.
Multi-stage Windows PowerShell loader that hides malware
According to eSentire threat analysis, the Amatera infection process is built on multiple layers of obfuscated PowerShell commands.
TRU researchers observed one phase in which the subsequent payload was decrypted using an XOR process on the string “AMSI_RESULT_NOT_DETECTED,” a term associated with Microsoft’s anti-malware scanning interface. The loader’s developers may have intentionally chosen this phrase to confuse researchers doing dynamic analysis.
Although Amatera is the most common payload delivered in these campaigns, eSentire has also documented instances where the same loader has been used to deploy other information stealers such as Lumma and Vidar. Some of the samples were missing the configuration parameters required to run the multi-stage loader, and the hackers chose to deploy NetSupport Manager directly instead.
eSentire and other security companies have documented email campaigns distributing Visual Basic script files disguised as invoices. Opening the file ran a batch script that started a PowerShell loader that delivered the XWorm.
Other campaigns involved compromised websites redirecting visitors to fake Cloudflare verification pages that mimic ClickFix prompts. This activity is associated with operations known by names such as SmartApeSG, HANEYMANEY, and ZPHP, all of which come with NetSupport RAT as the final payload.
Hackers built a fraudulent Booking.com website that hosted a fake CAPTCHA check, instructed users to open a Windows Run dialog to run a command, and installed a credential-stealing script directly onto infected systems.
Some of the phishing campaigns associated with these malware deliveries use a new phishing kit known as Cephas. According to cybersecurity solutions company Barracuda, Cephas uses advanced obfuscation techniques that insert invisible characters into the phishing page’s source code that are difficult to detect by automated scanners.
“This kit obfuscates the code by creating random invisible characters within the source code, evading anti-phishing scanners and preventing signature-based YARA rules from matching accurate phishing techniques,” Barracuda said. I wrote In last week’s analysis.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
