EVALUSION Campaign Exploits ClickFix Technique to Deploy Amatera Stealer and NetSupport RAT
In November 2025, cybersecurity researchers identified a sophisticated malware campaign named EVALUSION, which combines advanced social engineering tactics with potent malware tools to compromise Windows systems. This campaign employs the deceptive ClickFix technique to trick users into executing malicious commands, leading to the deployment of Amatera Stealer and NetSupport RAT.
Understanding the ClickFix Technique
The ClickFix technique is a social engineering method that manipulates users into executing harmful commands under the guise of resolving technical issues. In the EVALUSION campaign, attackers present users with fake error messages or verification prompts, instructing them to open the Windows Run dialog box (accessible via the Windows key + R shortcut) and input specific commands. This approach exploits users’ trust in routine troubleshooting procedures, making them more likely to comply without suspicion.
The Infection Chain: From Deception to Compromise
The EVALUSION attack sequence unfolds as follows:
1. Initial Deception: Users encounter a fraudulent prompt, often mimicking legitimate system messages, urging them to verify their identity or fix a purported issue by executing a command.
2. Execution of Malicious Command: Upon following the instructions, users unknowingly initiate a PowerShell command that downloads and executes a .NET-based downloader.
3. Payload Deployment: The downloader retrieves and decrypts additional payloads, including Amatera Stealer and NetSupport RAT, from remote servers.
4. Establishing Persistence: The malware employs various techniques to maintain a foothold on the infected system, such as modifying registry entries and creating scheduled tasks.
Amatera Stealer: A Closer Look
Amatera Stealer, previously known as ACR Stealer, is a sophisticated information-stealing malware developed by the cybercriminal group SheldIO. This malware is designed to extract sensitive data from various applications, including:
– Web Browsers: Harvesting saved credentials, cookies, and browsing history.
– Cryptocurrency Wallets: Accessing wallet files and private keys.
– Password Managers: Extracting stored passwords and secure notes.
Amatera employs advanced evasion techniques to bypass security measures:
– WoW64 SysCalls: Utilizes Windows-on-Windows 64-bit system calls to evade detection by antivirus software and endpoint detection systems.
– Obfuscated PowerShell Code: Executes heavily obfuscated scripts to hinder analysis and detection.
– Disabling AMSI: Overwrites the AmsiScanBuffer string in memory to disable the Anti-Malware Scan Interface, preventing Windows Defender from scanning the malicious code.
NetSupport RAT: Enabling Remote Control
Following the deployment of Amatera Stealer, the EVALUSION campaign installs NetSupport RAT, a remote access tool that grants attackers full control over the compromised system. With NetSupport RAT, cybercriminals can:
– Monitor User Activity: Observe keystrokes, screen activity, and application usage.
– Exfiltrate Data: Transfer sensitive files and information to remote servers.
– Deploy Additional Malware: Install other malicious programs to further exploit the system.
Technical Breakdown of the Attack
The EVALUSION campaign’s technical sophistication is evident in its multi-stage infection process:
1. Downloader Execution: The initial PowerShell command executes a .NET-based downloader packed with Agile.net, complicating reverse engineering efforts.
2. Payload Retrieval: The downloader fetches encrypted payloads from services like MediaFire, decrypting them using RC2 encryption.
3. Process Injection: The malware employs process injection techniques to run malicious code within legitimate system processes, reducing the likelihood of detection.
4. Communication Encryption: Amatera Stealer communicates with command-and-control servers using AES-256-CBC encryption combined with Windows APIs and WoW64 syscalls, ensuring secure and stealthy data transmission.
Implications and Mitigation Strategies
The EVALUSION campaign underscores the evolving nature of cyber threats, where attackers blend social engineering with advanced malware to achieve their objectives. To mitigate such risks, individuals and organizations should:
– Exercise Caution: Be wary of unsolicited prompts instructing the execution of commands or opening of system utilities.
– Implement Security Awareness Training: Educate users on recognizing and avoiding social engineering tactics.
– Maintain Updated Security Software: Ensure antivirus and endpoint detection systems are current and capable of identifying sophisticated threats.
– Monitor System Activity: Regularly review system logs and network traffic for signs of unusual behavior.
By adopting a proactive and informed approach to cybersecurity, users can better defend against complex campaigns like EVALUSION.
