I’m thrilled to sit down with Malik Haidar, a renowned cybersecurity expert whose extensive experience spans analytics, intelligence, and security within multinational corporations. With a unique ability to blend business perspectives into cybersecurity strategies, Malik has been at the forefront of defending against sophisticated threats and hackers. Today, we’ll dive into the alarming rise of the EVALUSION ClickFix campaign, explore the dangers posed by malware like Amatera Stealer and NetSupport RAT, and unpack the evolving tactics cybercriminals use to exploit unsuspecting users. Let’s get started.
Can you explain what the EVALUSION ClickFix campaign is and why it’s such a pressing concern in the cybersecurity world?
Absolutely, Alison. The EVALUSION ClickFix campaign is a sophisticated social engineering scheme that tricks users into executing malicious commands, often through seemingly harmless prompts like a fake reCAPTCHA verification. It’s a concern because it bypasses traditional security awareness by exploiting human curiosity and trust. Users are led to open the Windows Run dialog and input commands that unleash malware like Amatera Stealer and NetSupport RAT. What makes it particularly dangerous is how it leverages everyday tools and behaviors, making it hard to detect until the damage is done.
What is it about the ClickFix social engineering tactic that makes it so effective at deceiving users?
The effectiveness of ClickFix lies in its simplicity and familiarity. It often mimics legitimate processes, like a CAPTCHA check on a website, which most users associate with security. By presenting a fake error or verification prompt, it creates a sense of urgency or necessity. Then, it guides users to copy and paste a command into the Windows Run dialog—a tool most people don’t think twice about using. This blend of psychological manipulation and technical trickery makes it incredibly deceptive, even for tech-savvy individuals.
Could you break down the two main malware types involved in this campaign, Amatera Stealer and NetSupport RAT, and explain their specific threats?
Sure. Amatera Stealer is a data-harvesting tool designed to steal sensitive information, focusing on things like cryptocurrency wallets, browser data, messaging app credentials, and email accounts. Its ability to target such a wide range of personal and financial data makes it a severe threat to both individuals and businesses. NetSupport RAT, on the other hand, is a remote access tool that gives attackers full control over an infected system. Once installed, it can be used for espionage, data theft, or even to deploy additional malware. Together, they create a devastating one-two punch: Amatera steals the data, and NetSupport ensures the attacker can keep exploiting the victim.
Let’s dive deeper into Amatera Stealer. What kind of data does it prioritize, and why should victims be so worried about that?
Amatera Stealer is laser-focused on high-value data. It goes after cryptocurrency wallets, which can lead to immediate financial loss, as well as browser information like saved passwords and cookies, which can be used for identity theft or account takeovers. It also targets messaging apps and email services, potentially exposing private communications or business secrets. The worry for victims is not just the initial theft but the ripple effects—stolen credentials can be sold on the dark web or used for further attacks, making recovery a long and painful process.
How does NetSupport RAT amplify the danger once it’s on a system?
NetSupport RAT is essentially a backdoor into a victim’s machine. Once it’s installed, attackers can remotely monitor activities, steal more data, or manipulate the system in real-time. It’s particularly dangerous because it can be selective— in this campaign, it’s often only downloaded if the system is part of a domain or has valuable files like crypto wallets. This shows a level of sophistication where attackers prioritize high-impact targets. The ability to maintain persistent access means they can cause ongoing harm, often without the victim noticing until it’s too late.
I understand Amatera Stealer evolved from something called ACR Stealer. Can you shed some light on that connection and what’s changed?
Yes, Amatera is considered a direct descendant of ACR Stealer, also known as AcridRain, which was sold as a Malware-as-a-Service until its sales were halted in mid-2024. The evolution likely involved refining its capabilities and evasion techniques. Amatera seems to have improved data exfiltration features, targeting a broader range of applications, and incorporates advanced methods to dodge detection, like using WoW64 SysCalls to bypass security tools. This shows how malware developers iterate on their products, much like legitimate software companies, to stay ahead of defenders.
Speaking of Malware-as-a-Service, Amatera’s subscription plans range from $199 a month to $1,499 a year. What does this pricing reveal about the business model behind such threats?
This pricing structure highlights how cybercrime has become a full-fledged industry. Offering subscriptions makes malware accessible to a wider range of criminals, from low-level scammers to organized groups, without requiring deep technical expertise. The tiered pricing likely reflects different levels of support, updates, or features, mirroring legitimate software-as-a-service models. It’s a stark reminder that malware development isn’t just a hobby for some—it’s a profitable business designed to scale, with customer service and all.
Can you walk me through the step-by-step process of how a ClickFix attack unfolds to infect a user’s system?
Of course. It starts with a phishing page or compromised website displaying a fake prompt, often mimicking a CAPTCHA or security check. The user is instructed to open the Windows Run dialog—usually with a simple keyboard shortcut—and paste a malicious command. This command triggers a tool like “mshta.exe” to run a PowerShell script, which downloads a .NET payload, often from a file-hosting service. That payload, typically Amatera Stealer, is then injected into a process like “MSBuild.exe” to harvest data. If the system meets certain criteria, like having crypto wallets, a secondary payload like NetSupport RAT is fetched and executed via another PowerShell command. It’s a multi-layered attack designed to evade detection at every step.
Amatera uses advanced evasion techniques like WoW64 SysCalls. Can you explain what that means in simpler terms and why it’s a problem?
Sure, WoW64 SysCalls are a way for 32-bit applications to interact with a 64-bit operating system at a very low level. Amatera uses this technique to bypass common security measures like user-mode hooking, which many antivirus programs and endpoint detection tools rely on to spot malicious behavior. By operating under the radar of these defenses, it can execute its tasks without triggering alarms. It’s a problem because it shows how malware authors are continuously finding ways to exploit the complexities of modern systems, making detection and prevention much harder for security teams.
What is your forecast for the future of social engineering campaigns like ClickFix and the malware they deliver?
I think we’re going to see social engineering tactics like ClickFix become even more personalized and context-aware. Attackers will likely leverage AI to craft more convincing lures tailored to specific industries or even individuals, using data scraped from social media or past breaches. As for the malware, the Malware-as-a-Service model will continue to lower the barrier to entry, meaning more attackers can deploy sophisticated tools like Amatera or NetSupport RAT. On the flip side, I expect security solutions to adapt by focusing on behavior-based detection and user education, but it’s going to be a constant cat-and-mouse game. Staying ahead will require vigilance and innovation on all fronts.
