A sophisticated new malware campaign, dubbed EVALUSION, has emerged, leveraging a cunning social engineering tactic known as the “ClickFix” technique. This method tricks unsuspecting users into executing malicious commands through the Windows Run prompt, paving the way for the deployment of Amatera Stealer, a potent information-gathering trojan. Security researchers at eSentire identified the campaign in November 2025, noting its alarming progression in combining multiple cyberattack tools for maximum impact.
The EVALUSION campaign begins with attackers manipulating victims into voluntarily opening the Windows Run dialog. Through carefully crafted phishing messages or deceptive online content, they persuade users to input specific commands. Once executed, these commands initiate a hidden sequence of actions that ultimately installs Amatera Stealer onto the compromised system. This malware is specifically designed to pilfer sensitive data, targeting credentials stored in browsers, cryptocurrency wallets, and password managers.
EVALUSION Campaign Employs Advanced Evasion with Amatera Stealer and NetSupport RAT
Following the initial compromise by Amatera Stealer, the EVALUSION campaign escalates with the deployment of NetSupport RAT (Remote Access Trojan). This secondary payload grants attackers unfettered remote access to the victim’s computer, allowing them to control the system, exfiltrate larger volumes of data, or deploy further malicious software. The combined use of a sophisticated stealer and a powerful RAT signifies a significant leap in the capabilities and organization of cyber threat actors.
The effectiveness of the EVALUSION campaign hinges on its advanced detection evasion techniques. Amatera Stealer, previously known as ACR Stealer and marketed by a group called SheldIO, utilizes obfuscated PowerShell code that is deliberately made difficult to decipher. Security analysts observed the malware employing a unique method involving XOR encryption with the string “AMSI_RESULT_NOT_DETECTED” to decrypt subsequent stages of its operation, effectively confounding automated security analysis.
The Infection Mechanism and Detection Evasion
The infection chain is initiated by a .NET-based downloader. This initial component is responsible for retrieving and decrypting further payloads, often sourced from legitimate cloud storage services like MediaFire, employing RC2 encryption for obfuscation. To further hinder analysis, this downloader is packed with Agile.net, a common technique used to make reverse engineering more challenging for security professionals.
Upon execution, the downloader deploys a Pure Crypter-packed file that leverages sophisticated process injection techniques. A critical step in the Amatera Stealer’s evasion strategy involves tampering with the Anti-Malware Scan Interface (AMSI). The malware overwrites specific strings within the system’s memory, effectively disabling Windows’ built-in security scanning capabilities for the duration of the attack. This bypass allows subsequent malicious activities to proceed undetected.
Amatera Stealer establishes communication with its command and control (C2) servers through encrypted connections designed to circumvent typical network security monitoring. It employs Windows APIs in conjunction with WoW64 system calls to encrypt all outbound traffic using AES-256-CBC encryption, rendering traffic analysis exceedingly difficult for security teams. This robust encryption ensures that stolen data, packaged into zip files, can be transmitted to attacker-controlled servers without interception.
The malware’s loader functionality allows attackers to selectively deploy additional payloads. This targeted approach enables threat actors to focus their efforts on high-value targets, such as systems known to contain cryptocurrency wallets or critical business infrastructure. By prioritizing these lucrative targets, attackers aim to maximize their financial gain and minimize wasted resources on less profitable systems. The multifaceted nature of the EVALUSION campaign underscores the necessity for multi-layered cybersecurity defenses in today’s threat landscape.
Moving forward, cybersecurity professionals will be keenly observing any further evolution of the EVALUSION TTPs and the Amatera Stealer’s capabilities. Continued research and threat intelligence sharing will be crucial in developing effective countermeasures against this evolving threat, particularly focusing on detecting the initial social engineering vectors and the sophisticated evasion techniques employed by the malware.