{
	"id": "100dca58-b48b-4d57-abe5-87b6bfdcc871",
	"created_at": "2026-04-06T00:09:01.804517Z",
	"updated_at": "2026-04-10T03:35:21.560531Z",
	"deleted_at": null,
	"sha1_hash": "e87844701ef2adf90506c0f75dcfdd1d22b67a9b",
	"title": "Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4936575,
	"plain_text": "Amatera Stealer: Rebranded ACR Stealer With Improved Evasion,\r\nSophistication | Proofpoint US\r\nBy Jeremy Hedges, Tommy Madjar, and the Proofpoint Threat Research Team\r\nPublished: 2025-06-13 · Archived: 2026-04-05 18:08:30 UTC\r\nKey takeaways \r\nProofpoint identified a new, rebranded stealer based on ACR Stealer called Amatera Stealer.  \r\nIt is delivered via web injects featuring sophisticated attack chains. \r\nSignificant portions of code overlap with existing ACR Stealer analysis. \r\nAmatera Stealer, which is sold as a malware-as-a-service (MaaS), is actively in development. \r\nRecent updates to Amatera Stealer introduced interesting anti-analysis features, improving the\r\nsophistication of the malware. \r\nRecent builds of Amatera Stealer no longer use Steam/Telegram dead drops for command and control\r\n(C2). \r\nAs information stealers become increasingly popular across the landscape, identification, reverse\r\nengineering, and detection of such emerging threats is vital. \r\nOverview \r\nProofpoint has been closely monitoring a stealer malware formerly known as ACR Stealer. In 2025, Proofpoint\r\nanalysts identified a new, unnamed malware exhibiting significant code overlap, shared features, and capabilities\r\nwith ACR Stealer. Further investigation revealed that ACR Stealer was significantly updated and rebranded as\r\nAmatera Stealer. While Amatera Stealer retains the core of its predecessor, it has undergone enough development\r\nand enhancement to stand out as a distinct and noteworthy threat. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 1 of 20\n\nFigure 1: Pricing information for Amatera Stealer from a publicly accessible panel. \r\nThe Amatera panels allow any visitor to create an account. After creating an account and signing in, it’s possible\r\nto purchase the service straight from the panel. Amatera is available for purchase via subscription plans that range\r\nfrom $199 per month to $1,499 for a year subscription. Like many malware-as-a-service (MaaS) offerings,\r\nAmatera customer service support is offered through Telegram messenger.  \r\nInterestingly, in July 2024, the ACR Support channel on Telegram announced the suspension of ACR Stealer sales,\r\nbut that it wasn't a goodbye from the team.  \r\nFigure 2: Post on ACR Stealer Telegram channel (left) and machine translation of the post (right).  \r\nThis was the final post in that channel, and in December 2024 the first public mentions and scans of the Amatera\r\nStealer panel surfaced online. This wouldn't be the first time the creator of this malware family has rebranded the\r\nstealer. According to reporting from Sekoia, it was likely previously sold under a different name linked to the\r\nGrMsk Stealer. \r\nInformation stealers, especially those sold as MaaS options, are very popular for cybercriminal threat actors. With\r\nthe disruption of Lumma Stealer, the most popular MaaS information stealer on the market, threat actors may be\r\nlooking for other options. It is likely Amatera Stealer will become more popular in the threat landscape as another\r\noption for threat actors.  \r\nCampaign analysis \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 2 of 20\n\nProofpoint observed Amatera Stealer distributed via ClearFake website injects in April and May 2025. ClearFake\r\nis a web inject activity cluster that compromises legitimate websites with malicious HTML and JavaScript.   \r\nIn the observed email-based campaigns, messages contained links to compromised websites. Although it’s likely\r\nneither the sender nor the site owner intended harm, the websites were compromised with a malicious injection.\r\nThis injection prompted the website to load a malicious script hosted on the blockchain via Binance’s Smart Chain\r\ncontracts, a technique referred to as “EtherHiding.” This then loaded a secondary script from a URL controlled by\r\nthe attacker. The functionality of the second script changes over time, but it is currently used to create an overlay\r\nof the compromised website to present a fake and localized CAPTCHA instructing users to verify they are human.\r\nThe full chain is described below. \r\nClearFake campaigns have led to Amatera Stealer as well as Lumma Stealer and Rhadamanthys. Third-party\r\nresearchers have also observed Amatera Stealer distributed via software cracks or fake software downloads.  \r\nClearFake update \r\nThe ClearFake cluster, known for compromising websites to trick users into executing malicious code, continues\r\nto demonstrate innovation. This cluster was among the earliest to adopt both the EtherHiding technique and the\r\nClickFix method, a term Proofpoint introduced in June 2024 detailing social engineering chains leveraging both\r\nclipboard access and the Windows Run dialog or PowerShell terminal. The ClickFix term has since been adopted\r\nindustry wide.  \r\nSince Proofpoint’s last update, ClearFake has continued to evolve its use of EtherHiding by adding new\r\nobfuscation layers, encryption, and staging logic to improve stealth and bypass defenses. As EtherHiding has been\r\nextensively covered by the research community, this blog focuses on a new ClickFix payload observed in May\r\n2025.  \r\nNotably, on May 16, there was a transaction to the current ClearFake smart chain contract, zeroing out the\r\npayload. This means that while many websites are still compromised, it will not lead to the ClickFix instruction,\r\nand the compromise can't be visually identified. Proofpoint has not determined the reason for the removal of the\r\npayload, but in practice, any of the compromised websites could start serving the malicious payload if the contract\r\nwas updated again. \r\nCampaign example \r\nIn the third week of May 2025, Proofpoint observed a notable ClearFake campaign leveraging the ClickFix\r\ntechnique leading to Amatera Stealer. When users visited a website compromised by ClearFake, the users were\r\npresented with a fake CAPTCHA, asking users to prove they are not a robot. This simple lure triggered the\r\nClickFix technique, where users were instructed to press Windows key + R to open an alleged “verification\r\nwindow”, but actually opened a Windows Run dialog box.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 3 of 20\n\nFigure 3: Fake CAPTCHA verification. \r\nThe next step instructed the user to press Ctrl+V, which pastes the command into the Windows Run dialog,\r\nfollowed by the final step of pressing Enter to run the command. The command observed: \r\nFigure 4: ClickFix PowerShell command.\r\nThis command uses PowerShell to download a malicious C# project file (.csproj) from a remote server using\r\nInvoke-RestMethod (irm), saves it to the temporary directory, and then executes it using msbuild.exe — a\r\nlegitimate .NET build tool included in Windows. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 4 of 20\n\nFigure 5: Decoded second-stage payload. \r\nThe .csproj file contained obfuscated logic that reconstructs and runs another layer of Base64-encoded PowerShell\r\nusing the Exec task within the build process. \r\n  When decoded, the second-stage payload revealed code like the following (reformatted for readability): \r\nFigure 6: Decoded payload URL invoking PowerShell. \r\nThis multilayered loader uses: \r\nWildcard matching (clike) to dynamically find method names. \r\nReflection and indirect method invocation to execute code without calling functions by name. \r\nThe obfuscated code above effectively resolves to the following: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 5 of 20\n\nFigure 7: Payload URL \r\nThis third PowerShell script is again heavily obfuscated and uses XOR encoding to eventually run a script called\r\n“Early Bird + Context Hijack Injector x86/x64 PowerShell” which is well-documented with comments in the\r\nscript. The script first disables PowerShell logging and suppresses output by setting all preference variables (such\r\nas ErrorActionPreference, VerbosePreference, etc.) to SilentlyContinue and overriding built-in functions like\r\nWrite-Host. It then uses the open-source project Null-AMSI to bypass AMSI (AntiMalware Scan Interface) and\r\ndisable Event Tracing for Windows (ETW). \r\nFinally, the script performs a shellcode injection routine using a combination of Early Bird and Context Hijack\r\ntechniques. It begins with the Early Bird injection by launching a legitimate Windows process — OpenWith.exe\r\n— in a suspended state, meaning the process is created but not yet allowed to run.  \r\nThe script then downloads the shellcode from a remote server directly into memory via a variable, allocates\r\nexecutable memory inside the suspended process, and writes the shellcode into that space. \r\nNext, it uses context hijacking by retrieving and modifying the CPU context of the suspended thread —\r\nspecifically changing the instruction pointer (EIP) so that when the process is resumed, it begins executing the\r\ninjected shellcode instead of its original code. \r\n  The executed shellcode is believed, based on external research, to have been generated using the open-source\r\ntool Clematis. This shellcode ultimately runs Amatera Stealer. \r\nMalware analysis \r\nOverview \r\nAmatera Stealer is a stealer written in C++ which is actively being developed and maintained as a MaaS. The\r\nrebranded malware is equipped with new features, including improved stealer capabilities and evasion features\r\nused to circumvent detection. The second part of this blog explores several noteworthy developments in the\r\nmalware, including its use of NTSockets for command and control (C2), the adoption of direct WoW64 system\r\ncalls (Syscalls), and other recent changes in its behavior. \r\nMalware initialization \r\nThe Amatera Stealer samples observed by Proofpoint in May 2025 did not package the malware configuration\r\nwithin the binary itself. Instead, the malware initiates contact with its configured command and control (C2)\r\nserver via HTTP shortly after execution. The goal is to receive a response from the C2 with an encoded, JSON-formatted configuration used to determine the malware’s next actions. \r\nC2 initialization \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 6 of 20\n\nThe code used to initialize contact with the C2 at this stage leverages NTSockets by interfacing with the device\r\n“\\\\Device\\\\Afd\\\\Endpoint” directly, rather than using the Winsock library. Proofpoint believes the use of\r\nNTSockets is primarily to increase the stealthiness of the malware’s C2 communication. Interfacing directly with\r\nthe AFD device, as implemented by NTSockets, effectively bypasses almost all commonly used Windows\r\nnetworking APIs which many EDR and analysis tools rely on for visibility into HTTP requests. \r\nFigure 8: Pseudocode of Amatera Stealer’s implementation of the NTSocket CreateTcpSocket functionality. \r\nThe code in Figure 8 shows a partially defined structure used to set up the AFD endpoint to create a socket. The\r\nNTSockets project hardcodes this structure, but Proofpoint analysts note that it mostly aligns with the\r\nAFD_CREATE_PACKET structure defined in an UnknownCheats forum post. The forum post itself is clearly\r\ninspired by NTSockets. Interestingly, we found several similarities between code in this malware and the code\r\nfrom the UnknownCheats forum post — most notably with some socket helper functions, as well as the absence of\r\nthe CreateEvent API as implemented in NTSockets. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 7 of 20\n\nAnother significant deviation from NTSockets is that the malware does not use DNS. Instead, the malware is\r\nprogrammed to reach out to its C2 by IP address. The IP address is not owned by the threat actor, but is a public\r\nContent Delivery Network (CDN) endpoint IP address. In this sample, the CDN is Cloudflare. After establishing a\r\nTCP connection, the malware will add a host header to the HTTP request with a hard-coded host name which has\r\nno DNS resolution. Figure 8 below denotes code in the malware which establishes a connection to the C2,\r\nfollowed by setup required to initiate an HTTP request. \r\nFigure 9: Pseudocode for C2 initialization and initial check-in. \r\nProofpoint believes this quirky C2 initialization is intentional. While investigating, it was noted that the hostname\r\nwasn’t resolvable with DNS and attempts to access the C2 using a browser were met with a Cloudflare intercepted\r\nresponse saying that Direct IP access to the webpage is disallowed. This buys the malware author a few benefits: \r\nSecurity Operations may be reluctant to block the IP address or alert on it, because it belongs to a\r\nlegitimate CDN (Cloudflare) that is also used by non-malicious websites \r\nThe domain name also can’t be blocked or alerted on through DNS monitoring, because there is no DNS\r\nlookup of the domain name \r\nNo need to implement UDP support using NTSockets \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 8 of 20\n\nAllows for an additional layer of protection (Cloudflare in this case) to prevent potential meddling from\r\nresearchers/analysts \r\nSamples of Amatera Stealer observed in May 2025 contain code which suggests new support for HTTPS requests,\r\nbut we have not yet observed this feature utilized by any samples within Proofpoint’s visibility. The code to\r\nsupport HTTPS requests is as follows: \r\nAcquireCredentialsHandleA (Using Microsoft Unified Security Protocol Provider) \r\nInitializeSecurityContextA (pszTargetName argument is hardcoded to amaprox[.]icu) \r\nEncryptMessage + DecryptMessage \r\nPivoting from the target name in the InitializeSecurityContextA API, Proofpoint analysts noted a response from an\r\nHTTP server which displayed a login page to the panel for Amatera Stealer. \r\nFigure 10: C2 Panel for Amatera Stealer. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 9 of 20\n\nThrough hunting in VirusTotal, Proofpoint researchers discovered  samples of Amatera Stealer that make use of\r\nthis HTTPS C2. One slight change in these samples is the malware no longer hardcodes amaprox[.]icu into the\r\npszTargetName argument of InitializeSecurityContextA, but it instead parses the previously created buffer of\r\nHTTP headers, extracting the hostname from the host header. \r\nDynamic API resolution and execution using WoW64 Syscalls \r\nAnother interesting feature that was not previously documented relative to this malware is its use of WoW64\r\nSyscalls. Similar in concept to Indirect Syscalls, this sample defines various functions that stage a Windows API\r\nto be resolved and executed dynamically. This method of calling Windows APIs was likely introduced to bypass\r\nuser-mode hooking techniques used by sandboxes and some EDR. Since NTSockets is exclusively using APIs\r\nfrom NTDLL, the malware can walk the Export Address Table of NTDLL to locate the functions it needs to\r\nexecute. To facilitate execution of the syscall of the desired API, the malware will extract the System Service\r\nNumber (SSN) by looking for the instruction “mov eax, imm32” which has the op code B8 \u003cdword for SSN\u003e. The\r\nmalware assumes the subsequent DWORD after the B8 opcode is the SSN for the desired API. \r\n  The general flow of these function stubs are as follows: \r\n1) Define a function stub in which: \r\nArgument 0 is the name of the function \r\nSubsequent arguments are passed to the function specified in argument 0 \r\n2) The function stub accesses the Process Environment Block (PEB) \r\n3) Gets the NTDLL Export Address Table (EAT) base address \r\n4) Searches for the requested function name, if found, it creates a hash of the function name using a modified\r\nversion of djb2 (see Figure 10 for implementation) \r\n5) It looks up the function by hash and saves off some information \r\nAddress of the function \r\nSSN of the function\r\n6) Stores the SSN in a global variable \r\n7) Calls WoW64Transition (call  large dword ptr fs:0C0h) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 10 of 20\n\nFigure 11: Modified djb2 hashing function. \r\nFigures 12 - 16 show code responsible for resolving and calling an API call with 11 arguments. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 11 of 20\n\nFigure 12: The stub for calling a WoW64 Syscall that requires 11 arguments.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 12 of 20\n\nFigure 13: The function responsible for extracting the function address and SSN. \r\nFigure 14: The function that sets the SSN prior to calling the WoW64 Syscall. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 13 of 20\n\nFigure 15: Disassembly of the function stub that calls the WoW64 Syscall. \r\nFigure 16: Disassembly of function stub for a system call with 11 arguments. \r\nCommand and control: \r\nThe C2 for Amatera Stealer is largely the same as what was previously documented by AhnLab.  One notable\r\nchange likely stems from the introduction of an HTTP-based C2 using NTSockets. The malware author appears to\r\ndirectly connect to a hardcoded C2 instead of the previously seen C2 method utilizing intermediary dead-drop\r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 14 of 20\n\nresolvers such as Steam, Telegram, or Google Docs. The format of the C2 traffic remains unchanged, continuing\r\nto use Base64 encoded data which is then XOR encoded with a hardcoded key. Reversing this encoding yields a\r\nJSON blob which has the configuration for the malware. A recent addition to the malware configuration in a JSON\r\nkey named “ld” (the first character is a lowercase L, probably short for “load”), which is used to execute\r\nadditional payloads. \r\nFigure 17: Snippet of HTTP request/response for initial C2 check-in. \r\nFigure 18: Decoded configuration structure from C2 instructing the malware to execute additional payloads. \r\nThere are various JSON parsing functions in the malware’s entry point function that take an input of some small\r\nstrings which align exactly to the configuration keys that are given from the C2. Analyzing the code that accesses\r\nthe newly added ld key helps identify the specific JSON parsing function that handles this new functionality.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 15 of 20\n\nFigure 19: JSON parsing for the second stage “loader” key. \r\nThe pseudocode in Figure 19 makes it evident that the tf key is used as a descriptor for a file type which applies\r\nthe correct file extension to add to the downloaded file. The JSON key tr appears to define what type of payload to\r\nrun. When the value is set to 1, the sample is executed using ShellExecuteA. If the value is set to 2, the payload is\r\nassumed to be a string passed into a PowerShell command line to be used with the DownloadString command and\r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 16 of 20\n\nsubsequently executed with Invoke-Expression (IEX). Additionally, if the value is set to 1 and the file type is a\r\nPowerShell script, the malware will just run the payload with PowerShell using ShellExecuteA instead of running\r\nthe payload directly. \r\nMalware capabilities \r\nAmatera Stealer currently focuses on stealing information from installed software like browsers, crypto wallets\r\nand other software depending on what configuration options it receives from its C2. It accomplishes this by\r\nsearching the file system with glob-syntax search patterns using NtCreateFile and NtQueryDirectoryFile.\r\nProofpoint analysts note that most of the stealer feature set focuses on: \r\nStealing files on disk for file paths pertaining to software wallets \r\nStealing files on disk that match a specific extension or keyword \r\nStealing browser data relating to Cookies, Web Forms, Profile Data (web history) \r\nBypasses App Bound Encryption for Chrome-related browsers by injecting a shellcode into the browser\r\nwhich causes it to copy sensitive files to a location that can be exfiltrated by the malware \r\nStealing files relating to browser extensions: \r\nPassword Managers \r\nCrypto Wallets \r\nStealing files on disk relating to common email clients and connection management software (SSH/FTP) \r\nStealing files on disk relating to common messenger applications (Signal/WhatsApp/XMPP Clients/etc.) \r\nIn addition to the stealer functionalities, Amatera Stealer is also capable of running secondary payloads. It\r\ncurrently supports the following: \r\nDownloading and executing files with extensions of .exe, .cmd, .dll, and .ps1 using the ShellExecuteA\r\nWindows API \r\nDownloading and executing a .ps1 script using PowerShell’s DownloadString and executing it using\r\nInvoke-Expression (IEX) \r\nUpon completion of each function, the malware will submit a POST request with data that is collected by the\r\nfunction responsible for handling capabilities enabled from the initial configuration from the C2.  \r\nFigure 20: Pseudocode for a stealer module to exfiltrate data to the hardcoded C2. \r\nConclusion \r\nAmatera Stealer is actively undergoing improvements to make the malware stealthier from detection by automated\r\nanalysis as well as endpoint detection agents. By implementing NTSockets functionality to interface with its C2,\r\nthe malware is able to bypass almost all commonly used networking functions that are hooked by EDRs. Using\r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 17 of 20\n\nWoW64 Syscalls may allow the malware to bypass analysis software which implements only user-mode API\r\nhooks. \r\nWhile the malware is undergoing active development to improve sophistication, it’s also being used by threat\r\nactors with clever attack chains featuring unusual obfuscation and filtering, as well as the ClickFix social\r\nengineering technique. Organizations should be aware of the entire attack chain and implement defenses against it,\r\nincluding educating users about common lure techniques by incorporating them into existing security training, and\r\nrestricting average users from running unauthorized PowerShell scripts.  \r\nET signatures \r\n2052674 - ET MALWARE ACR/Amatera Stealer CnC Checkin Attempt \r\n2062510 - ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1 \r\n2062511 - ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M2 \r\nIOCs \r\nSHA256  Notes \r\n120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 \r\nAmatera Stealer: NTSockets\r\nusage, no HTTPS support, no\r\nsupport for second stage\r\nmalware \r\n7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea \r\nAmatera Stealer: NTSockets\r\nusage, HTTPS support \r\n120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 \r\nAmatera Stealer: NTSockets\r\nusage, no HTTPS support, no\r\nsupport for second stage\r\nmalware \r\n35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af \r\nAmatera Stealer: NTSockets\r\nusage, HTTPS C2 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 18 of 20\n\n2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991 \r\nClearFake ClickFix csproj\r\npayload \r\nad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55 \r\nClearFake second stage\r\nPowerShell \r\n055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b \r\nClearFake shellcode leading\r\nto Amatera \r\nIP Address  Notes \r\n104.21.80[.]1 \r\nAmatera C2, associated with\r\nhardcoded host\r\noverplanteasiest[.]top \r\n172.67.178[.]5 \r\nAmatera C2, associated with\r\nhardcoded host header\r\nbadnesspandemic[.]shop  \r\nDomain/URL  Notes \r\namaprox[.]icu \r\nAmatera Infrastructure for\r\nHTTPS security context\r\ninitialization \r\nb1[.]talismanoverblown[.]com \r\nAmatera Infrastructure for\r\nHTTPS security context\r\ninitialization and C2 \r\nhttps[:]//cv[.]cbrw[.]ru/t[.]csproj \r\nClearFake ClickFix csproj\r\npayload \r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 19 of 20\n\nhttps[:]//tt[.]cbrw[.]ru/vb7to8[.]psd \r\nClearFake second stage\r\nPowerShell \r\nhttps[:]//cv[.]cbrw[.]ru/init1[.]bin \r\nClearFake shellcode leading\r\nto Amatera \r\nOther IOCs  Notes \r\n0x80d31D935f0EC978253A26D48B5593599B9542C7 \r\nClearFake smart contract\r\naddress on BNB Smart Chain\r\nTestnet \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nhttps://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication"
	],
	"report_names": [
		"amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434141,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e87844701ef2adf90506c0f75dcfdd1d22b67a9b.pdf",
		"text": "https://archive.orkl.eu/e87844701ef2adf90506c0f75dcfdd1d22b67a9b.txt",
		"img": "https://archive.orkl.eu/e87844701ef2adf90506c0f75dcfdd1d22b67a9b.jpg"
	}
}