Find notable cyber news and cases, enriched with sources, timelines, and signals.

EVALUSION ClickFix phishing campaign delivering Amatera Stealer and NetSupport RAT

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The EVALUSION campaign is using ClickFix lures to push Amatera Stealer and NetSupport RAT, raising the risk of credential theft and remote access. Victims are being tricked on bogus phishing pages into running malicious commands through the Windows Run dialog. The chain uses mshta.exe, PowerShell, and MediaFire to stage the payloads and inject them into MSBuild.exe. The operation matters because it selectively withholds NetSupport RAT unless the victim looks valuable, such as a domain machine or a system with crypto-wallet files.

Related Happenings

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Windows cryptocurrency clipper campaign targeting users via USB LNK worms

Campaign
H score32 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
H score30 First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

OAuth URL redirection phishing campaign targeting government and public-sector organizations

Campaign
H score33 First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: The **OAuth URL redirection** phishing campaign is targeting **government and public-sector organizations**, using attacker-controlled redirects to bypass normal **email** and **b...

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
H score22 First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Timeline

  1. 17.11.2025 18:53 2 articles · 7mo ago

    EVALUSION ClickFix campaign deploys Amatera Stealer and NetSupport RAT

    Initial Disclosure

    Cybersecurity researchers tracked EVALUSION as a ClickFix phishing campaign that tricks users on bogus verification pages into using the Windows Run dialog, then chains mshta.exe and PowerShell to download a .NET payload from MediaFire, pack Amatera Stealer with PureCrypter, inject the DLL into MSBuild.exe, and conditionally fetch NetSupport RAT when the victim machine appears valuable, such as a domain system or a host with crypto-wallet files.

    Show sources