Amatera Stealer data-exfiltration and NetSupport RAT delivery
Malware Activity
Summary
Hide ▲
Show ▼
Amatera Stealer is now being delivered through ClickFix phishing lures to steal data and stage NetSupport RAT, increasing risk to wallets, browsers, and email accounts. The malware uses mshta.exe, PowerShell, and MSBuild.exe to run a multi-step payload chain. The activity is significant because it combines credential theft, file targeting, and follow-on remote-control delivery in one infection path.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Timeline
-
17.11.2025 18:53 2 articles · 7mo ago
EVALUSION ClickFix campaigns deliver Amatera Stealer and NetSupport RAT
Initial DisclosureResearchers tracked EVALUSION campaigns that used ClickFix social engineering to deliver Amatera Stealer and stage NetSupport RAT on affected Windows systems. The payload chain used the Windows Run dialog, mshta.exe, PowerShell, MediaFire, PureCrypter, and MSBuild.exe, while Amatera was described as targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services and using WoW64 SysCalls to evade sandboxes, antivirus tools, and EDR products.
Show sources
- New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT — thehackernews.com — 17.11.2025 18:53
- New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT — thehackernews.com — 17.11.2025 18:53