All news with #amatera stealer tag

EVALUSION ClickFix Campaign Delivers Amatera, NetSupport

🔒 Researchers identified a ClickFix-based EVALUSION campaign deploying Amatera Stealer and NetSupport RAT, observed in November 2025. The campaign abuses the Windows Run dialog and mshta.exe to launch a PowerShell script that downloads a .NET DLL hosted on MediaFire; the Amatera DLL, packed with PureCrypter, is injected into MSBuild.exe to exfiltrate data. eSentire highlights Amatera's WoW64 SysCalls evasion and conditional NetSupport deployment when domain membership or valuable files are detected.

Researchers Expose SVG and PureRAT Phishing Threats

📧 Fortinet FortiGuard Labs and other researchers detailed phishing campaigns that weaponize malicious SVG attachments to initiate downloads of password-protected ZIP archives and Compiled HTML Help (CHM) files. Those CHM files activate loader chains that deliver CountLoader as a distribution stage for Amatera Stealer and the stealthy .NET miner PureMiner, both run filelessly via .NET AOT and memory-loading techniques. Separately, Huntress attributes a Vietnamese-speaking operator using copyright-themed lures that escalate from PXA Stealer to the modular backdoor PureRAT.

SVG Phishing Targets Ukraine with Amatera Stealer, PureMiner

⚠️ FortiGuard Labs observed a targeted phishing campaign impersonating Ukrainian authorities that used malicious SVG attachments to initiate a fileless infection chain. The SVG redirected victims to a password-protected archive containing a CHM that executed a hidden HTA loader (CountLoader). The loader retrieved and ran in-memory payloads, deploying Amatera Stealer for data theft and PureMiner for cryptomining.