Thursday November 27, 2025

EVALUSION “ClickFix” Campaign Delivers Amatera Stealer & NetSupport RAT

Advisory ID: NCC-CSIRT-2025-026

Summary: 

Security researchers (eSentire, The Hacker News coverage) have identified a November 2025 campaign, tracked as EVALUSION, that uses the ClickFix social-engineering technique to trick users into executing commands which lead to the installation of the Amatera Stealer (packed with PureCrypter) and the follow-on deployment of NetSupport RAT. The attack chain injects a packed Amatera DLL into MSBuild.exe, harvests browser and wallet data, then executes PowerShell to fetch and run NetSupport for persistent remote access.

Damage/Probability: High/High

Indicators of Compromise (IOCs): 

IOCs change rapidly. Pull up-to-date lists from vendor CTI and your telemetry before actioning.

  • Run/explorer.exe spawning msbuild.exe with injected DLLs.
  • Unknown DLLs loaded into msbuild.exe or other trusted developer processes.
  • PureCrypter artifacts and PowerShell one-liners contacting suspicious domains.
  • NetSupport RAT beacons or console connections to unknown endpoints.
  • Outbound connections to vendor-flagged malicious download/C2 domains.

Product(s): 

  • Microsoft Windows endpoints (workstations and servers)
  • Browsers and browser-stored credentials (Chrome, Edge, Firefox) and password managers
  • NetSupport RAT (remote access tooling abused as payload)
  • Amatera Stealer (infostealer family) and PureCrypter (loader/crypter)

Version(s): 

Not version-specific, it affects Windows systems where users execute the staged payloads; detection and remediation depend on endpoint protections and configuration.

Platform(s): 

  • Enterprise and unmanaged Windows hosts
  • Remote workers’ machines
  • Environments where MSBuild.exe and PowerShell are allowed to run.

Description: 

The campaign begins with phishing, malvertising, or compromised pages that present a ClickFix-style visual or instruction prompting the user to run a command (the “ClickFix” interaction), often via the Windows Run box or a similarly trivial user action. ClickFix is an interactive social-engineering technique designed to coax users into executing commands that would normally be blocked or inspected. Once the user follows the prompt, the chain drops a PureCrypter-packed Amatera DLL, which the actor injects into MSBuild.exe to evade detection. The stealer harvests browser credentials, cookies, crypto wallets and system artifacts, then executes a PowerShell stage that downloads and installs NetSupport RAT to provide remote control to the attacker.

Threat Types: 

  • Infostealer (Amatera): credential, cookie and crypto-wallet harvesting.
  • Remote Access Trojan (NetSupport): full remote control and lateral movement.
  • Social-engineering vector: ClickFix (interactive user trick that bypasses some security controls).
  • Crypter/loader use (PureCrypter) to evade detection. (Proofpoint)

Impacts: 

  • Theft of browser passwords, cookies, form data, and crypto wallets.
  • NetSupport RAT enables remote access and data exfiltration.
  • Crypter packing and DLL injection evade signature-based detection.
  • Unmanaged endpoints with corporate resources increase operational risk.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

  • Hunt exe for unknown DLLs or unusual process chains.
  • Monitor PowerShell for download-execute or encoded scripts.
  • Check browsers for unexpected children or credential access.
  • Block & alert on domains/IPs linked to PureCrypter, Amatera, NetSupport.
  • Sandbox suspicious attachments/pages with interactive Run patterns.
  • Quarantine endpoints and block known malicious domains from CTI feeds.
  • Enforce execution controls: restrict msbuild.exe, constrain PowerShell, block unsigned scripts.
  • Rotate credentials, force reauthentication, and reset MFA if compromised.

References: