Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

EVALUSION ClickFix phishing campaign delivering Amatera Stealer and NetSupport RAT

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The EVALUSION campaign is using ClickFix lures to push Amatera Stealer and NetSupport RAT, raising the risk of credential theft and remote access. Victims are being tricked on bogus phishing pages into running malicious commands through the Windows Run dialog. The chain uses mshta.exe, PowerShell, and MediaFire to stage the payloads and inject them into MSBuild.exe. The operation matters because it selectively withholds NetSupport RAT unless the victim looks valuable, such as a domain machine or a system with crypto-wallet files.

Related Happenings

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Open Happening

OAuth URL redirection phishing campaign targeting government and public-sector organizations

Campaign
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: The **OAuth URL redirection** phishing campaign is targeting **government and public-sector organizations**, using attacker-controlled redirects to bypass normal **email** and **b...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

Microsoft Entra device code phishing and vishing campaign

Campaign
First: 19.02.2026 14:30 Last: 19.02.2026 14:30 Sources 1

About this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...

Open Happening

ClickFix DNS-based nslookup staging campaign

Campaign
First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Open Happening

Timeline

  1. 17.11.2025 18:53 2 articles · 6mo ago

    EVALUSION ClickFix campaign deploys Amatera Stealer and NetSupport RAT

    Initial Disclosure

    Cybersecurity researchers tracked EVALUSION as a ClickFix phishing campaign that tricks users on bogus verification pages into using the Windows Run dialog, then chains mshta.exe and PowerShell to download a .NET payload from MediaFire, pack Amatera Stealer with PureCrypter, inject the DLL into MSBuild.exe, and conditionally fetch NetSupport RAT when the victim machine appears valuable, such as a domain system or a host with crypto-wallet files.

    Show sources
    Open in new tab