Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Amatera Stealer data-exfiltration and NetSupport RAT delivery

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

Amatera Stealer is now being delivered through ClickFix phishing lures to steal data and stage NetSupport RAT, increasing risk to wallets, browsers, and email accounts. The malware uses mshta.exe, PowerShell, and MSBuild.exe to run a multi-step payload chain. The activity is significant because it combines credential theft, file targeting, and follow-on remote-control delivery in one infection path.

Related Happenings

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

STX RAT attempted deployment in financial services environment

Malware Activity
First: 09.04.2026 18:00 Last: 09.04.2026 18:00 Sources 1

About this happening: A previously undocumented **STX RAT** attempted deployment in a **financial services environment** exposed a stealthy RAT with **credential theft** and **remote-control** capabili...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

ClickFix fake CAPTCHA campaign delivering Amatera

Campaign
First: 26.01.2026 23:42 Last: 26.01.2026 23:42 Sources 1

About this happening: A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...

Open Happening

Timeline

  1. 17.11.2025 18:53 2 articles · 6mo ago

    EVALUSION ClickFix campaigns deliver Amatera Stealer and NetSupport RAT

    Initial Disclosure

    Researchers tracked EVALUSION campaigns that used ClickFix social engineering to deliver Amatera Stealer and stage NetSupport RAT on affected Windows systems. The payload chain used the Windows Run dialog, mshta.exe, PowerShell, MediaFire, PureCrypter, and MSBuild.exe, while Amatera was described as targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services and using WoW64 SysCalls to evade sandboxes, antivirus tools, and EDR products.

    Show sources
    Open in new tab