Cybersecurity group eSentire has uncovered the use of fake CAPTCHA-style pop-ups to trick victims into deploying credential-harvesting malware, Amatera Stealer, and NETSupport RAT by abusing a method known as ClickFix.

eSentire’s Threat Response Unit (TRU) has been tracking an escalation in campaigns abusing ClickFix to gain initial access to targeted systems in November. According to the TRU, threat actors use the method to socially engineer victims into running malicious commands manually through the Windows Run prompt. 

Once executed, those commands launch an infection chain that ends with the deployment of Amatera Stealer and NetSupport RAT, both legitimate remote monitoring tools that have been repurposed by cybercriminals for unauthorized remote access.

ClickFix campaign uses reCAPTCHA to sneak malware in

Per eSentire’s research published last Thursday, hackers are luring victims using fake websites and pop-ups that look like “security checks,” including fraudulent reCAPTCHA verification boxes and counterfeit Cloudflare Turnstile pages. 

The deceptive interfaces prompt users to “fix” a supposed issue, with the instructions causing them to execute harmful commands without seeing the risks. Once the initial command is run, Amatera Stealer is delivered first, followed by the installation of NetSupport Manager, which allows hackers to monitor and control the compromised machine as though they were physically present.

Amatera Stealer is not an entirely new threat but the latest evolution of ACR Stealer, also known as AcridRain. The earlier version first appeared as a malware-as-a-service product on hacker forums in 2024, which several users deployed through subscription packages.

Sales of ACR were paused in mid-2024 when its developer, known online as SheldIO, sold the malware’s source code. Despite the sale announcement, the group said it was “not the end” of its development. Researchers now believe Amatera is the direct successor to ACR, rebuilt with more capabilities and new evasion techniques.

Amatera, spotted by security auditing firm Proofpoint in June, is available on a subscription basis from $199 per month to $1,499 annually.

“Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion strategies like WoW64 SysCalls to circumvent user-mode hooking mechanisms used by sandboxes, Anti-Virus solutions, and EDR products,” eSentire said.

The malware is written in C++ and is capable of harvesting saved passwords, card details, browsing histories, and files from browsers like Chrome, Brave, Edge, Opera, Firefox, and specialized platforms such as Tor Browser and Thunderbird. 

Multi-stage Windows PowerShell loaders hiding malware

According to eSentire’s threat analysis, the Amatera’s infection process is built on several layers of obfuscated PowerShell commands. 

TRU researchers saw one phase decrypting subsequent payloads using an XOR process on the string “AMSI_RESULT_NOT_DETECTED,” a term associated with Microsoft’s Anti-Malware Scan Interface. The loader’s developer could have selected the phrase intentionally to confuse researchers conducting dynamic analysis.

While Amatera is the most common payload delivered in these campaigns, eSentire also documented cases where the same loader was used to deploy other infostealers, including Lumma and Vidar. Some samples lacked configuration parameters needed to run multi-stage loaders, in which hackers chose to deploy NetSupport Manager directly instead.

eSentire and other security firms have documented email campaigns distributing Visual Basic Script files disguised as invoices. When opened, the files executed batch scripts that initiated PowerShell loaders delivering XWorm.

Other campaigns involved compromised websites that redirected visitors to fake Cloudflare verification pages, which mimic ClickFix prompts. This activity has been tied to an operation known by names including SmartApeSG, HANEYMANEY, and ZPHP, all coming with NetSupport RAT as their final payload.

Hackers had built fraudulent Booking.com websites that hosted counterfeit CAPTCHA checks, instructing users to open the Windows Run dialog and execute a command, and directly installing a credential-stealing script onto infected systems.

Some of the phishing campaigns connected to these malware deliveries are using a new phishing kit known as Cephas. Cephas, according to cybersecurity solutions firm Barracuda, uses an advanced obfuscation method that inserts invisible characters into the source code of phishing pages, difficult for automated scanners to detect.

“The kit obscures its code by creating random invisible characters within the source code that help it evade anti-phishing scanners and obstruct signature-based YARA rules from matching the exact phishing methods,” Barracuda wrote in its analysis last week.

Get up to $30,050 in trading rewards when you join Bybit today