Cybersecurity firm eSentire has uncovered a sophisticated malware campaign that uses fake reCAPTCHA-style pop-ups and counterfeit Cloudflare Turnstile pages to socially engineer victims into deploying credential-harvesting malware. The method, known as ClickFix, tricks users into executing malicious commands through the Windows Run prompt under the guise of fixing system issues or completing security checks.
Once executed, the infection chain delivers Amatera Stealer—a direct successor to the ACR Stealer malware—followed by NetSupport RAT, which allows unauthorized remote access. Amatera, written in C++, is capable of exfiltrating data from crypto wallets, browsers like Chrome and Firefox, messaging apps, FTP clients, and email services. It employs advanced evasion techniques, such as WoW64 SysCalls, to bypass anti-virus solutions and EDR products.
The campaign, tracked since November, involves multi-stage PowerShell loaders that decrypt payloads using obfuscated commands, including references to "AMSI_RESULT_NOT_DETECTED" to confuse analysis. While Amatera is the primary payload, eSentire also observed deployments of other infostealers like Lumma and Vidar. Related phishing operations, including fake Booking.com sites and email campaigns with Visual Basic Script files, have been tied to groups such as SmartApeSG, HANEYMANEY, and ZPHP.
Amatera is sold on a subscription basis, ranging from $199 monthly to $1,499 annually, and first appeared in June 2025 after the source code of ACR Stealer was sold by its developer, SheldIO. Security firms like Proofpoint and Barracuda have linked the campaign to the Cephas phishing kit, which uses invisible characters in source code to evade detection.
