The cybersecurity firm Proofpoint has uncovered a rebranded and significantly enhanced information stealer which is now named Amatera Stealer. This new malware is directly derived from the previously known malware that was called the ACR Stealer by security researchers. First identified in early 2025, this malware exhibits substantial code overlap with its predecessor but introduces many advanced features. Amatera Stealer is actively sold as a Malware-as-a-Service, also widely known in the industry as MaaS, on underground forums. Its subscription plans range from $199 per month for access up to $1,499 for an annual subscription plan for cybercriminals. Its emergence follows the suspension of ACR Stealer sales.
Amatera Stealer is primarily distributed through very intricate and also deceptive web injection malware campaigns targeting many different users. It is notably distributed via the well-known ClearFake cluster, which is known for compromising many legitimate websites with malicious code. These campaigns leverage advanced techniques like EtherHiding, using Binance Smart Chain contracts to host their various malicious scripts for deployment. They also use ClickFix, which is a social engineering method that tricks users into executing various different malicious commands. These deceptive lures prompt users to open the Windows Run dialog and then paste malicious PowerShell commands to execute them. This ultimately deploys the stealer through multilayered loaders.
On the technical front, the Amatera Stealer malware employs NTSockets for all of its command and control (C2) communication.
This particular technique successfully bypasses standard Windows networking APIs, which greatly enhances its overall operational stealth and evasion capabilities. It also uses what are known as WoW64 Syscalls to dynamically resolve and then execute various APIs from the Windows operating system. This specific method helps it to effectively evade user-mode hooks that are commonly employed by many endpoint detection and response (EDR) tools.
The malware also connects to C2 servers via hardcoded IP addresses that are linked to legitimate content delivery networks like Cloudflare.
The malware’s data stealing capabilities are quite extensive, focusing on stealing sensitive data from browsers, cryptocurrency wallets, and email clients. It also supports secondary payload execution for any further system exploitation after the initial successful compromise has already occurred. Its command and control configuration is delivered as JSON blobs, which enables dynamic behavior adjustment by all of its operators. As Amatera Stealer continues to evolve with new features like potential HTTPS support for its command and control C2 interactions. Its ability to bypass detection through obfuscation, encryption, and innovative delivery methods poses a very significant challenge to cybersecurity defenses. Organizations are urged to bolster user training.
